[Bug 203735] Transparent interception of ipv6 with squid and pf causes panic
Ermal Luçi
ermal.luci at gmail.com
Tue Mar 21 02:24:32 UTC 2017
On Sun, Mar 19, 2017 at 9:41 PM, <bugzilla-noreply at freebsd.org> wrote:
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735
>
> Kristof Provost <kp at freebsd.org> changed:
>
> What |Removed |Added
> ------------------------------------------------------------
> ----------------
> CC| |kp at freebsd.org
>
> --- Comment #7 from Kristof Provost <kp at freebsd.org> ---
> The good news is this no longer panics, but it still doesn't work.
>
> This turns out to be somewhat tricky.
> The underlying problem is one of address scope.
>
> It can be fixed on the receive side with a patch like this:
>
> diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
> index 81290f91b40..d68f81ddf15 100644
> --- a/sys/netpfil/pf/pf.c
> +++ b/sys/netpfil/pf/pf.c
> @@ -6538,8 +6538,12 @@ done:
> pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr !=
> NULL &&
> (s->nat_rule.ptr->action == PF_RDR ||
> s->nat_rule.ptr->action == PF_BINAT) &&
> IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
> - m->m_flags |= M_SKIP_FIREWALL;
> + m->m_flags |= M_SKIP_FIREWALL | M_FASTFWD_OURS;
>
I am not sure this is really what is happening here.
Can you provide more data from your analysis?
>
> This tells ip6_input() to skip the scope checks, which seems appropriate.
> It still fails on the reply packet though, so this doesn't actually fix the
> whole use case.
>
> --
> You are receiving this mail because:
> You are on the CC list for the bug.
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
--
Ermal
More information about the freebsd-net
mailing list