kern/102647: Using pf stateful rules for inet6 fails
for connections originating from the firewall itself to a
service running on thesame box
SUZUKI Shinsuke
suz at freebsd.org
Tue Sep 5 03:53:35 UTC 2006
Hi,
>>>>> On Fri, 1 Sep 2006 21:22:45 +0200
>>>>> max at love2party.net(Max Laier) said:
> Thinking about this for a bit we might want to use the patch below
> instead. i.e. do the fixup locally in the pfil wrapper instead. This
> way other filters don't break if they have adapted to the new world
> order.
>
> Thoughts? Please test and report back, either way.
I'm fine with your patch. (it is preferable to add a comment about
this hack, though)
After the PR originator confirmed the fix, could you please commit it?
Thanks,
----
SUZUKI, Shinsuke @ KAME Project
> Index: pf_ioctl.c
> ===================================================================
> RCS file: /usr/store/mlaier/fcvs/src/sys/contrib/pf/net/pf_ioctl.c,v
> retrieving revision 1.25
> diff -u -r1.25 pf_ioctl.c
> --- pf_ioctl.c 21 Jul 2006 09:48:13 -0000 1.25
> +++ pf_ioctl.c 1 Sep 2006 19:19:49 -0000
> @@ -3442,7 +3442,8 @@
> */
> int chk;
>
> - chk = pf_test6(PF_IN, ifp, m, NULL, inp);
> + chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? &loif[0] : ifp, m,
> + NULL, inp);
> if (chk && *m) {
> m_freem(*m);
> *m = NULL;
More information about the freebsd-pf
mailing list