[Bug 280390] NPTv6 not working

Wed, 07 May 2025 03:42:49 -0700 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280390

--- Comment #21 from Tatsuki Makino <tatsuki_mak...@hotmail.com> ---
(In reply to Tatsuki Makino from comment #20)

In the end, I came back to the method of using this :)
I wanted to keep one_pass enabled, so I used a strange method with dynamic
rules, but with the following patch, I tried to resolve the issue of icmpv6
being unable to pass.
The results of ipfw -D show indicated that more than 2 packets were captured
due to the ipv6-icmp rule, this patch may be meaningful :)

Below is the patch.
It has been applied to 14.3-PRERELEASE.

diff --git a/sys/netpfil/ipfw/ip_fw_dynamic.c
b/sys/netpfil/ipfw/ip_fw_dynamic.c
index d26e05e5d15..23902a52404 100644
--- a/sys/netpfil/ipfw/ip_fw_dynamic.c
+++ b/sys/netpfil/ipfw/ip_fw_dynamic.c
@@ -487,6 +487,15 @@ SYSCTL_U32(_net_inet_ip_fw, OID_AUTO, dyn_keep_states,
     CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(dyn_keep_states), 0,
     "Do not flush dynamic states on rule deletion");

+#ifdef INET6
+VNET_DEFINE_STATIC(int, _dyn_auto_add_icmpv6) = 0;
+#define V_dyn_auto_add_icmpv6  VNET(_dyn_auto_add_icmpv6)
+SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,
+       _dyn_auto_add_icmpv6, CTLFLAG_VNET | CTLFLAG_RW,
+       &VNET_NAME(_dyn_auto_add_icmpv6), 0,
+       "ipv6-icmp dynamic rule is also added at the same time when ip6 dynamic
rule is added");
+#endif /* INET6 */
+
 #ifdef IPFIREWALL_DYNDEBUG
 #define        DYN_DEBUG(fmt, ...)     do {                    \
        printf("%s: " fmt "\n", __func__, __VA_ARGS__); \
@@ -1930,8 +1939,22 @@ dyn_install_state(const struct ipfw_flow_id *pkt,
uint32_t zoneid,
                    ulp, pktlen, hashval, info, fibnum, kidx, type);
 #ifdef INET6
        else if (IS_IP6_FLOW_ID(pkt))
+       {
                ret = dyn_add_ipv6_state(rule, ruleid, rulenum, pkt,
                    zoneid, ulp, pktlen, hashval, info, fibnum, kidx, type);
+               if (V_dyn_auto_add_icmpv6 && ret == 0 &&
+                       (pkt->proto != 0 && pkt->proto != IPPROTO_ICMPV6)) {
+                       struct ipfw_flow_id id;
+                       id = *pkt;
+                       id.proto = IPPROTO_ICMPV6;
+                       id.src_port = 0;
+                       id.dst_port = 0;
+                       if (dyn_add_ipv6_state(rule, ruleid, rulenum, &id,
+                           zoneid, ulp, pktlen, hashval, info, fibnum, kidx,
type) != 0) {
+                               /* ignore failure */
+                       }
+               }
+       }
 #endif /* INET6 */
        else
                ret = EAFNOSUPPORT;

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Reply via email to