[Bug 203735] Transparent interception of ipv6 with squid and pf causes panic
Kristof Provost
kristof at sigsegv.be
Tue Mar 21 04:19:10 UTC 2017
On 21 Mar 2017, at 11:24, Ermal Luçi wrote:
> On Sun, Mar 19, 2017 at 9:41 PM, <bugzilla-noreply at freebsd.org> wrote:
>> + m->m_flags |= M_SKIP_FIREWALL | M_FASTFWD_OURS;
>>
>
>
> I am not sure this is really what is happening here.
> Can you provide more data from your analysis?
>
>
In ip6_input(), immediately after the pfil hook there’s a check for
M_FASTFWD_OURS.
If that flag is set we jump to hbhcheck, which skips all of the scope
validation.
In the given test case (rdr log on vtnet0 inet6 proto tcp from any to
any port 80 -> ::1 port 8000 for example),
I also see, in the output of `netstat -s -6` ‘X packets that violated
scope rules’ increment.
That still doesn’t work, but now I do see ip6_output() being called,
and the packet being discarded due to scope issues there (through simple
printf()s in the function).
Regards,
Kristof
More information about the freebsd-net
mailing list