Re: rdr-to ::1

Tue, 26 Jul 2011 15:45:15 -0700 

On Fri, May 20, 2011 at 11:54:09AM +0200, Camiel Dobbelaar wrote:
> I'll spend some more time on this, but maybe there's an IPv6 guru that
> can lend a hand?  :-)

Just removing the check seems wrong to me.  This would allow ::1
addresses from the wire.  Also the goto hbhcheck would get lost.

A solution that might work would be to put the check
        if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
            IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
                if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
                        ip6stat.ip6s_badscope++;
                        in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
                        goto bad;
                }
        }
before the pf_test() call and
        if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
                        ours = 1;
                        deliverifp = m->m_pkthdr.rcvif;
                        goto hbhcheck;
        }
after pf_test().

But I am not convinced that changing IPv6 scopes in pf is a good
idea.  Using link-local with nat and rdr does not work either.  pf
is not aware of IPv6 scopes, including local scope.  Just don't mix
them.

If your use case is to redirect to a local socket, just use pf
divert-to rules instead.

bluhm

> 
> 
> 
> Index: ip6_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet6/ip6_input.c,v
> retrieving revision 1.99
> diff -u -r1.99 ip6_input.c
> --- ip6_input.c       3 Apr 2011 13:56:05 -0000       1.99
> +++ ip6_input.c       20 May 2011 09:30:14 -0000
> @@ -270,7 +270,6 @@
>               in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
>               goto bad;
>       }
> -
>       if (IN6_IS_ADDR_MC_INTFACELOCAL(&ip6->ip6_dst) &&
>           !(m->m_flags & M_LOOP)) {
>               /*
> @@ -340,19 +339,6 @@
>       ip6 = mtod(m, struct ip6_hdr *);
>       srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
>  #endif
> -
> -     if (IN6_IS_ADDR_LOOPBACK(&ip6->ip6_src) ||
> -         IN6_IS_ADDR_LOOPBACK(&ip6->ip6_dst)) {
> -             if (m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) {
> -                     ours = 1;
> -                     deliverifp = m->m_pkthdr.rcvif;
> -                     goto hbhcheck;
> -             } else {
> -                     ip6stat.ip6s_badscope++;
> -                     in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_addrerr);
> -                     goto bad;
> -             }
> -     }
> 
>       /* drop packets if interface ID portion is already filled */
>       if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {

Reply via email to