Date: Thu, 25 Jan 2018 16:54:04 -0700 From: Alan Somers <asomers@freebsd.org> To: "Andrey V. Elsukov" <bu7cher@yandex.ru> Cc: Eugene Grosbein <eugen@grosbein.net>, FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org> Subject: Re: pf: redirect a packet's port but not its address? Message-ID: <CAOtMX2gV7WLc7aUe5DEhodNx1z8-pLkrqfBMeQYfDF-HFctYAg@mail.gmail.com> In-Reply-To: <a5e3717c-4344-2067-9b0f-4c288cf3505a@yandex.ru> References: <CAOtMX2j80odQ7%2Bt3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com> <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru> <CAOtMX2jroiz57KyQZUk%2B4aW4=_1m=Qs7wEP=_3pEVL%2BE2jg22A@mail.gmail.com> <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com> <5A6781E9.5060405@grosbein.net> <CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com> <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru> <a5e3717c-4344-2067-9b0f-4c288cf3505a@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 24, 2018 at 3:16 AM, Andrey V. Elsukov <bu7cher@yandex.ru> wrote: > On 24.01.2018 02:26, Andrey V. Elsukov wrote: > > I think it is correct behavior if you try to forward to loopback > > address. In case when you listen on the LLA and fwd to this LLA there is > > seems the bug. > > > > # ipfw add fwd fe80::e6a7:a0ff:fe8e:16bf%lagg0,5678 tcp from any to any > > dst-port 4000 > > # nc -6 -l fe80::e6a7:a0ff:fe8e:16bf%lagg0 5678 > > > > This doesn't work, because ip6_input() doesn't embed scope zone index > > into IPv6 header's addresses before TCP segment will be handled by > > tcp_input(). > > > > I think the bug is in ipfw_check_packet() function. Since it changes > > destination address and sets M_FASTFWD_OURS flag, it also should embed > > scope zone id into ip6_src/ip6_dst and check for scope violation like > > ip6_input() does just after "passin" label. > > > > With this patch I'm able to use above commands and they work. > After some thought I think it is not quite correct to embed scope zone > id into IP header in the pfil hook, because several hooks can be chained > and this can break another check. Instead, can you test this patch? > > I moved M_FASTFWD_OURS check below of scope check, now if fwd address is > our local, scope zone index will be correctly embedded into IP header if > this is needed. And thus tcp_input() will correctly handle this case. > > -- > WBR, Andrey V. Elsukov > Yep. With that patch I can receive the redirected packet whether listening on the unspecified address or on the LLA. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2gV7WLc7aUe5DEhodNx1z8-pLkrqfBMeQYfDF-HFctYAg>