Date: Wed, 24 Jan 2018 13:16:21 +0300 From: "Andrey V. Elsukov" <bu7cher@yandex.ru> To: Alan Somers <asomers@freebsd.org>, Eugene Grosbein <eugen@grosbein.net> Cc: FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org> Subject: Re: pf: redirect a packet's port but not its address? Message-ID: <a5e3717c-4344-2067-9b0f-4c288cf3505a@yandex.ru> In-Reply-To: <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru> References: <CAOtMX2j80odQ7%2Bt3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com> <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru> <CAOtMX2jroiz57KyQZUk%2B4aW4=_1m=Qs7wEP=_3pEVL%2BE2jg22A@mail.gmail.com> <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com> <5A6781E9.5060405@grosbein.net> <CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com> <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--mo4J6MSNWfwIaw6u5kOZh7juzUNEqm3rA
Content-Type: multipart/mixed; boundary="lIkshy1yjqVo1MDXgFRa7VI0tUJR8b1jx";
protected-headers="v1"
From: "Andrey V. Elsukov" <bu7cher@yandex.ru>
To: Alan Somers <asomers@freebsd.org>, Eugene Grosbein <eugen@grosbein.net>
Cc: FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org>
Message-ID: <a5e3717c-4344-2067-9b0f-4c288cf3505a@yandex.ru>
Subject: Re: pf: redirect a packet's port but not its address?
References: <CAOtMX2j80odQ7+t3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com>
<a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru>
<CAOtMX2jroiz57KyQZUk+4aW4=_1m=Qs7wEP=_3pEVL+E2jg22A@mail.gmail.com>
<759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru>
<CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com>
<5A6781E9.5060405@grosbein.net>
<CAOtMX2h+U82k6+B_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com>
<6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru>
In-Reply-To: <6d367aa6-948a-8dd6-cfc9-dd6017722591@yandex.ru>
--lIkshy1yjqVo1MDXgFRa7VI0tUJR8b1jx
Content-Type: multipart/mixed;
boundary="------------18A366C6193334F62975056D"
Content-Language: en-US
This is a multi-part message in MIME format.
--------------18A366C6193334F62975056D
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
On 24.01.2018 02:26, Andrey V. Elsukov wrote:
> I think it is correct behavior if you try to forward to loopback
> address. In case when you listen on the LLA and fwd to this LLA there i=
s
> seems the bug.
>=20
> # ipfw add fwd fe80::e6a7:a0ff:fe8e:16bf%lagg0,5678 tcp from any to any=
> dst-port 4000
> # nc -6 -l fe80::e6a7:a0ff:fe8e:16bf%lagg0 5678
>=20
> This doesn't work, because ip6_input() doesn't embed scope zone index
> into IPv6 header's addresses before TCP segment will be handled by
> tcp_input().
>=20
> I think the bug is in ipfw_check_packet() function. Since it changes
> destination address and sets M_FASTFWD_OURS flag, it also should embed
> scope zone id into ip6_src/ip6_dst and check for scope violation like
> ip6_input() does just after "passin" label.
>=20
> With this patch I'm able to use above commands and they work.
After some thought I think it is not quite correct to embed scope zone
id into IP header in the pfil hook, because several hooks can be chained
and this can break another check. Instead, can you test this patch?
I moved M_FASTFWD_OURS check below of scope check, now if fwd address is
our local, scope zone index will be correctly embedded into IP header if
this is needed. And thus tcp_input() will correctly handle this case.
--=20
WBR, Andrey V. Elsukov
--------------18A366C6193334F62975056D
Content-Type: text/x-patch;
name="ip6_input.diff"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="ip6_input.diff"
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 167193a3758..ea65c1da814 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -769,13 +769,7 @@ ip6_input(struct mbuf *m)
return;
ip6 =3D mtod(m, struct ip6_hdr *);
srcrt =3D !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
-
- if (m->m_flags & M_FASTFWD_OURS) {
- m->m_flags &=3D ~M_FASTFWD_OURS;
- ours =3D 1;
- goto hbhcheck;
- }
- if ((m->m_flags & M_IP6_NEXTHOP) &&
+ if ((m->m_flags & (M_IP6_NEXTHOP | M_FASTFWD_OURS)) =3D=3D M_IP6_NEXTHO=
P &&
m_tag_find(m, PACKET_TAG_IPFORWARD, NULL) !=3D NULL) {
/*
* Directly ship the packet on. This allows forwarding
@@ -806,6 +800,11 @@ passin:
IP6STAT_INC(ip6s_badscope);
goto bad;
}
+ if (m->m_flags & M_FASTFWD_OURS) {
+ m->m_flags &=3D ~M_FASTFWD_OURS;
+ ours =3D 1;
+ goto hbhcheck;
+ }
/*
* Multicast check. Assume packet is for us to avoid
* prematurely taking locks.
--------------18A366C6193334F62975056D--
--lIkshy1yjqVo1MDXgFRa7VI0tUJR8b1jx--
--mo4J6MSNWfwIaw6u5kOZh7juzUNEqm3rA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEzBAEBCAAdFiEE5lkeG0HaFRbwybwAAcXqBBDIoXoFAlpoXPUACgkQAcXqBBDI
oXrrnwgAnjXD6h213ub8jkz9vmY3rudbvS4I5Xwh4KACZi/0fJB2iEQUypqwofhM
paG245/KVydb04TkVf5lrMDD9Zhxh3wpBN930tlY2FqIvcrNvlSufqfZT4K+QtJj
zIGQvZjzwVJ/GlYkBru4y1Xp+zzzZ4Fev6JYmmkTvokwFA9P+VQEdOcPOsqSz5PW
Ihr9MqjdigPSiHdqu+6RdX/huFAFP75l4k5MVdw30SDCgEdhBSc94fPil75cOl3p
QgzhdlxsvX2wds/3nLIzTVUwenLXq+/1qaRMpPwkG8ucvsJPipbwPJLA3A0tJz9g
PHtL2XyM7RXTB5UlfnRPF0AkZpEWHw==
=gHEk
-----END PGP SIGNATURE-----
--mo4J6MSNWfwIaw6u5kOZh7juzUNEqm3rA--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?a5e3717c-4344-2067-9b0f-4c288cf3505a>