From owner-freebsd-ipfw@FreeBSD.ORG  Fri Mar  4 19:05:40 2011
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 890B11065670
	for <freebsd-ipfw@freebsd.org>; Fri,  4 Mar 2011 19:05:40 +0000 (UTC)
	(envelope-from bd@dax.nu)
Received: from xenis.dax.nu (xenis.dax.nu [194.68.48.87])
	by mx1.freebsd.org (Postfix) with ESMTP id 168088FC17
	for <freebsd-ipfw@freebsd.org>; Fri,  4 Mar 2011 19:05:39 +0000 (UTC)
Received: from kali.pri (ua-83-227-152-132.cust.bredbandsbolaget.se
	[83.227.152.132]) (authenticated bits=0)
	by xenis.dax.nu (8.14.3/8.14.1/SuSE Linux 0.8) with ESMTP id
	p24IpYkq024437
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
	Fri, 4 Mar 2011 19:51:35 +0100
To: <freebsd-ipfw@freebsd.org>
From: Bjorn Danielsson <fbsd@50days.dax.nu>
Date: Fri, 04 Mar 2011 19:51:34 +0100
Message-ID: <yqflj0u90sp.fsf@knights-who-say-ni>
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0
	(xenis.dax.nu [194.68.48.87]);
	Fri, 04 Mar 2011 19:51:35 +0100 (CET)
Cc: Sergey Matveychuk <sem33@yandex-team.ru>
Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Mar 2011 19:05:40 -0000

Sergey Matveychuk <sem33@yandex-team.ru> wrote:
> Here is my patch for IPv6 divert. It works for me, but it should be 
> reviewed and may be improved.
> 
> I've touched nd6.c to prevent looping packet to local address (loopback).
> 
> Any questions are welcome.

I needed one more change for my "options IPDIVERT" enabled kernel:

#include "opt_inet6.h"

which I put right after "opt_inet.h" under the !defined(KLD_MODULE)
condition at the beginning of netinet/ip_divert.c. Without this
change my divert socket could read but not write IPv6 packets.

I am not familiar with the FreeBSD kernel so this was based on
a guess after noticing how INET6 was handled in other places.

Both copying the incoming sockaddr_in and creating a new one using
INADDR_ANY seems to work in sendto(), after this change. I haven't
tried any packet rewriting yet but I'll be testing that very soon.

Many thanks Sergey for contributing this patch!