On 06.11.2017 07:40, Viktor Dukhovni wrote: >> From first glance I don't see any restrictions in libalias/nat44 to not >> try to translate IPv6 packet assuming it as IPv4. > > I've changed the rule from "ip" to "ip4", but also made other > changes to get 6to4 working, and no longer see panics. > > Reverting the rule on a running system back to "ip", still yields > no panics, but I am now running a different 11.1 kernel built from > SVN with my "stf" patch. So it is sadly not quite clear where the > problem was, my original configuration, the older kernel, something > else?
I think it is the right assumption, that IPv6 packet got corrupted by
nat44 and then ip6_output() is confused by incorrect packet, especially
wrong packet length may lead to fragmentation and due to the discrepancy
between ip6_plen and m_pkthdr.len ip6_fragment() creates wrong fragments
chain.
I think the following patch should be enough to fix the problem:
Index: sys/netpfil/ipfw/ip_fw2.c
===================================================================
--- sys/netpfil/ipfw/ip_fw2.c (revision 325354)
+++ sys/netpfil/ipfw/ip_fw2.c (working copy)
@@ -2563,7 +2563,7 @@ do {
\
case O_NAT:
l = 0; /* exit inner loop */
done = 1; /* exit outer loop */
- if (!IPFW_NAT_LOADED) {
+ if (!is_ipv4 || !IPFW_NAT_LOADED) {
retval = IP_FW_DENY;
break;
}
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
