[Bug 203735] Transparent interception of ipv6 with squid and pf causes panic

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735

Kristof Provost <kp at freebsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kp at freebsd.org

--- Comment #7 from Kristof Provost <kp at freebsd.org> ---
The good news is this no longer panics, but it still doesn't work.

This turns out to be somewhat tricky. 
The underlying problem is one of address scope.

It can be fixed on the receive side with a patch like this:

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 81290f91b40..d68f81ddf15 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -6538,8 +6538,12 @@ done:
            pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL &&
            (s->nat_rule.ptr->action == PF_RDR ||
            s->nat_rule.ptr->action == PF_BINAT) &&
           IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
-               m->m_flags |= M_SKIP_FIREWALL;
+               m->m_flags |= M_SKIP_FIREWALL | M_FASTFWD_OURS;

This tells ip6_input() to skip the scope checks, which seems appropriate.
It still fails on the reply packet though, so this doesn't actually fix the
whole use case.

-- 
You are receiving this mail because:
You are the assignee for the bug.