From owner-freebsd-net@freebsd.org  Tue Mar 21 02:24:32 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 742F1D15541
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 21 Mar 2017 02:24:32 +0000 (UTC)
 (envelope-from ermal.luci@gmail.com)
Received: from mail-io0-x234.google.com (mail-io0-x234.google.com
 [IPv6:2607:f8b0:4001:c06::234])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3D3C8117C;
 Tue, 21 Mar 2017 02:24:32 +0000 (UTC)
 (envelope-from ermal.luci@gmail.com)
Received: by mail-io0-x234.google.com with SMTP id z13so41238994iof.2;
 Mon, 20 Mar 2017 19:24:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:in-reply-to:references:from:date:message-id:subject:to
 :cc; bh=mt0hLXLaDy+MvgI3S90TAiyAiPQ+i3mbJ1DxPp6rQn8=;
 b=Vot5Ir5zOf9FaAAloAp3SxS8tH9vkDDYEcQ5+VFBTTH9EfyhkDKlyz/mwx8hQsBZe+
 +Xt2TSP5mA8sbfreatB1ydi97mW4UTMaCxTcrEbRuOJo0xVRy9m1bBhyduXRu+NO/uM6
 ck1emmnnd9cQ+G4H+j56U9Yx5FhwooSPzPvAyuJaiZgmbUX1jeXEYDvPwaE633IRSnAe
 32bJ8cAsDbZ7dZjqt2iy38LyENjvhfXjLdDayZtPbc7REHeZLB6QY8KngeED6YcbcxiU
 43VpVLD/Wpt9Ml3MoazM1RfBfMKUevf2A3LUHCGXOc/xBPlBzt5BDN88/OphifTScxuK
 3VnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:in-reply-to:references:from:date
 :message-id:subject:to:cc;
 bh=mt0hLXLaDy+MvgI3S90TAiyAiPQ+i3mbJ1DxPp6rQn8=;
 b=elJBwEq18zMffvIIbxhYwKuKFK0g0KDAq463D1sxXdG2EhBlK/4TDhoNvTqmoTn9Dh
 7LOvj5ip7J3P1Gh1zixWG2bAEPitZT/ExjOo+ZfJeFFMYh0KchIGLt0s+XCMDH1mpmVB
 l/0pF6Cu+dZrteTLkZTzMbafu2Kgx7lQm4cqB0qDVaUvFOIbw+63mxfklhZaZOcJLGe+
 FCXsHP73ip4dI1PPzgVHOeMaT2QBuljvjQjlipvNenPc7Ggn99BOAF1siYHrqRw13GCf
 fpwIBobIBA1EXCxI+1fWVep2l3DBkuoKkikIeeDpvNNJK0aVWYdU8yvuZi4DGeHY+f0q
 ifrQ==
X-Gm-Message-State: AFeK/H0eFY2cE6Hnl+Sme7fZIg13AeQl8vnDYqT5WG5C6LBQ/kzdtLzhtHfWqHpU+f8U85lJOxBNftGcLgIucA==
X-Received: by 10.107.31.11 with SMTP id f11mr29004515iof.183.1490063071425;
 Mon, 20 Mar 2017 19:24:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.149.135 with HTTP; Mon, 20 Mar 2017 19:24:30 -0700 (PDT)
In-Reply-To: <bug-203735-2472-QLl8ivsAu1@https.bugs.freebsd.org/bugzilla/>
References: <bug-203735-2472@https.bugs.freebsd.org/bugzilla/>
 <bug-203735-2472-QLl8ivsAu1@https.bugs.freebsd.org/bugzilla/>
From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= <ermal.luci@gmail.com>
Date: Mon, 20 Mar 2017 19:24:30 -0700
Message-ID: <CAPBZQG0uLNwKfdZF12zUh0wOqUmUR086T_t=-U1=PEwLdHvmpg@mail.gmail.com>
Subject: Re: [Bug 203735] Transparent interception of ipv6 with squid and pf
 causes panic
To: bugzilla-noreply@freebsd.org
Cc: freebsd-net <freebsd-net@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 02:24:32 -0000

On Sun, Mar 19, 2017 at 9:41 PM, <bugzilla-noreply@freebsd.org> wrote:

> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735
>
> Kristof Provost <kp@freebsd.org> changed:
>
>            What    |Removed                     |Added
> ------------------------------------------------------------
> ----------------
>                  CC|                            |kp@freebsd.org
>
> --- Comment #7 from Kristof Provost <kp@freebsd.org> ---
> The good news is this no longer panics, but it still doesn't work.
>
> This turns out to be somewhat tricky.
> The underlying problem is one of address scope.
>
> It can be fixed on the receive side with a patch like this:
>
> diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
> index 81290f91b40..d68f81ddf15 100644
> --- a/sys/netpfil/pf/pf.c
> +++ b/sys/netpfil/pf/pf.c
> @@ -6538,8 +6538,12 @@ done:
>             pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr !=
> NULL &&
>             (s->nat_rule.ptr->action == PF_RDR ||
>             s->nat_rule.ptr->action == PF_BINAT) &&
>            IN6_IS_ADDR_LOOPBACK(&pd.dst->v6))
> -               m->m_flags |= M_SKIP_FIREWALL;
> +               m->m_flags |= M_SKIP_FIREWALL | M_FASTFWD_OURS;
>


I am not sure this is really what is happening here.
Can you provide more data from your analysis?



>
> This tells ip6_input() to skip the scope checks, which seems appropriate.
> It still fails on the reply packet though, so this doesn't actually fix the
> whole use case.
>
> --
> You are receiving this mail because:
> You are on the CC list for the bug.
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>



-- 
Ermal