kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets

Sergey Matveychuk sem33 at yandex-team.ru
Tue Mar 15 19:30:14 UTC 2011


The following reply was made to PR kern/128260; it has been noted by GNATS.

From: Sergey Matveychuk <sem33 at yandex-team.ru>
To: bug-followup at FreeBSD.org, dan at obluda.cz
Cc:  
Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets
Date: Tue, 15 Mar 2011 22:22:26 +0300

 This is a multi-part message in MIME format.
 --------------010900030501060304010402
 Content-Type: text/plain; charset=UTF-8; format=flowed
 Content-Transfer-Encoding: 7bit
 
 A patch to prevent looping when diverting packets from "to me" rule.
 
 Let's look at the rule:
 ipfw add divert NNN ip from any to me
 
 After a packet processed with a divert daemon it returns to output queue 
 and pass firewall again and diverted again and so on. It's a loop. You 
 can easily prevent it for IPv4:
 ipfw add divert NNN ip from any to me not via lo0
 
 But you could not do it with IPv6 because of it fool firewall by 
 changing interface name.
 
 The patch do the behaviour the same for both protocols.
 
 --------------010900030501060304010402
 Content-Type: text/plain;
  name="nd6.diff"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment;
  filename="nd6.diff"
 
 LS0tIHN5cy9uZXRpbmV0Ni9uZDYuYy5vcmlnCTIwMTEtMDItMjUgMTc6NDg6NTQuMDAwMDAw
 MDAwICswMzAwCisrKyBzeXMvbmV0aW5ldDYvbmQ2LmMJMjAxMS0wMi0yNSAxNzo0OTo1MS4w
 MDAwMDAwMDAgKzAzMDAKQEAgLTE5MjgsMTAgKzE5MjgsNiBAQAogCQl9CiAJCXJldHVybiAo
 ZXJyb3IpOwogCX0KLQlpZiAoKGlmcC0+aWZfZmxhZ3MgJiBJRkZfTE9PUEJBQ0spICE9IDAp
 IHsKLQkJcmV0dXJuICgoKmlmcC0+aWZfb3V0cHV0KShvcmlnaWZwLCBtLCAoc3RydWN0IHNv
 Y2thZGRyICopZHN0LAotCQkgICAgTlVMTCkpOwotCX0KIAllcnJvciA9ICgqaWZwLT5pZl9v
 dXRwdXQpKGlmcCwgbSwgKHN0cnVjdCBzb2NrYWRkciAqKWRzdCwgTlVMTCk7CiAJcmV0dXJu
 IChlcnJvcik7CiAK
 --------------010900030501060304010402--


More information about the freebsd-ipfw mailing list