Date: Mon, 20 Mar 2017 19:24:30 -0700 From: =?UTF-8?Q?Ermal_Lu=C3=A7i?= <ermal.luci@gmail.com> To: bugzilla-noreply@freebsd.org Cc: freebsd-net <freebsd-net@freebsd.org> Subject: Re: [Bug 203735] Transparent interception of ipv6 with squid and pf causes panic Message-ID: <CAPBZQG0uLNwKfdZF12zUh0wOqUmUR086T_t=-U1=PEwLdHvmpg@mail.gmail.com> In-Reply-To: <bug-203735-2472-QLl8ivsAu1@https.bugs.freebsd.org/bugzilla/> References: <bug-203735-2472@https.bugs.freebsd.org/bugzilla/> <bug-203735-2472-QLl8ivsAu1@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 19, 2017 at 9:41 PM, <bugzilla-noreply@freebsd.org> wrote: > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735 > > Kristof Provost <kp@freebsd.org> changed: > > What |Removed |Added > ------------------------------------------------------------ > ---------------- > CC| |kp@freebsd.org > > --- Comment #7 from Kristof Provost <kp@freebsd.org> --- > The good news is this no longer panics, but it still doesn't work. > > This turns out to be somewhat tricky. > The underlying problem is one of address scope. > > It can be fixed on the receive side with a patch like this: > > diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c > index 81290f91b40..d68f81ddf15 100644 > --- a/sys/netpfil/pf/pf.c > +++ b/sys/netpfil/pf/pf.c > @@ -6538,8 +6538,12 @@ done: > pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != > NULL && > (s->nat_rule.ptr->action == PF_RDR || > s->nat_rule.ptr->action == PF_BINAT) && > IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) > - m->m_flags |= M_SKIP_FIREWALL; > + m->m_flags |= M_SKIP_FIREWALL | M_FASTFWD_OURS; > I am not sure this is really what is happening here. Can you provide more data from your analysis? > > This tells ip6_input() to skip the scope checks, which seems appropriate. > It still fails on the reply packet though, so this doesn't actually fix the > whole use case. > > -- > You are receiving this mail because: > You are on the CC list for the bug. > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > -- Ermal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPBZQG0uLNwKfdZF12zUh0wOqUmUR086T_t=-U1=PEwLdHvmpg>