https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=203735
Kristof Provost <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #7 from Kristof Provost <[email protected]> --- The good news is this no longer panics, but it still doesn't work. This turns out to be somewhat tricky. The underlying problem is one of address scope. It can be fixed on the receive side with a patch like this: diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 81290f91b40..d68f81ddf15 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -6538,8 +6538,12 @@ done: pd.proto == IPPROTO_UDP) && s != NULL && s->nat_rule.ptr != NULL && (s->nat_rule.ptr->action == PF_RDR || s->nat_rule.ptr->action == PF_BINAT) && IN6_IS_ADDR_LOOPBACK(&pd.dst->v6)) - m->m_flags |= M_SKIP_FIREWALL; + m->m_flags |= M_SKIP_FIREWALL | M_FASTFWD_OURS; This tells ip6_input() to skip the scope checks, which seems appropriate. It still fails on the reply packet though, so this doesn't actually fix the whole use case. -- You are receiving this mail because: You are the assignee for the bug. _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
