> On Nov 6, 2017, at 6:28 AM, Andrey V. Elsukov <bu7c...@yandex.ru> wrote:
>
>> Reverting the rule on a running system back to "ip", still yields
>> no panics, but I am now running a different 11.1 kernel built from
>> SVN with my "stf" patch. So it is sadly not quite clear where the
>> problem was, my original configuration, the older kernel, something
>> else?
>
> I think it is the right assumption, that IPv6 packet got corrupted by
> nat44 and then ip6_output() is confused by incorrect packet, especially
> wrong packet length may lead to fragmentation and due to the discrepancy
> between ip6_plen and m_pkthdr.len ip6_fragment() creates wrong fragments
> chain.
>
> I think the following patch should be enough to fix the problem:
>
> Index: sys/netpfil/ipfw/ip_fw2.c
> ===================================================================
> --- sys/netpfil/ipfw/ip_fw2.c (revision 325354)
> +++ sys/netpfil/ipfw/ip_fw2.c (working copy)
> @@ -2563,7 +2563,7 @@ do {
> \
> case O_NAT:
> l = 0; /* exit inner loop */
> done = 1; /* exit outer loop */
> - if (!IPFW_NAT_LOADED) {
> + if (!is_ipv4 || !IPFW_NAT_LOADED) {
> retval = IP_FW_DENY;
> break;
> }
>
>
Would this cause the packet to be denied, or passed through without
nat? Presumably, I would then have to have "ip4" and not "ip" as
"ip6" would then be denied by the "nat" rule. Right?
Any comments on my message (and patch) with subject:
[Patch] The 6to4 stf0 interface flapping in/out of tentative in FreeBSD 11
How do I get this addressed by the maintainer of stf?
--
Viktor.
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
