On Mon, Aug 1, 2011 at 11:59 PM, Alexander Bluhm <alexander.bl...@gmx.net> wrote: > On Wed, Jul 27, 2011 at 12:44:21AM +0200, Alexander Bluhm wrote: >> On Fri, May 20, 2011 at 11:54:09AM +0200, Camiel Dobbelaar wrote: >> > I'll spend some more time on this, but maybe there's an IPv6 guru that >> > can lend a hand? :-) >> >> Just removing the check seems wrong to me. This would allow ::1 >> addresses from the wire. Also the goto hbhcheck would get lost. > > I have reconsidered the existing loopback check in ip6_input(). It > is wrong. The check that ::1 is not allowed from the wire must be > before pf_test(). Otherwise pf could reroute or redirect such a > packet. > > KAME moved the check in rev 1.189 of their ip6_input.c. They also > removed the special goto ours logic for ::1. I do not change that > now before release so leave the goto where it is. > > Redirect or nat to ::1 should work with this diff. But I still > believe that divert-to is more suitable for that. > > ok? > > bluhm >
this looks correct. ok mikeb
