Set up a pf ruleset with at least the following rule
> pass out fastroute inet6 proto icmp6 all icmp6-type echoreq
Send out an icmp6 echo request (i.e. ping6 2001:db8::1). This causes a
panic in ip6_output() when comparing the old and new destination
addresses (IN6_ARE_ADDR_EQUAL()) just after the netpfil hook.
The cause is the fastroute option, which means that the mbuf is handed
off to ip6_output() from pf itself and should no longer be processed by
the ip6_output() which called pf in the first place.
The pf code in pf_route6() neglected to set the mbuf pointer to NULL
after the call to ip6_output(). As a result we end up trying to continue
processing on an mbuf which has already been freed.
---
sys/netpfil/pf/pf.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index b32288b..7c3ddb8 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -5470,6 +5470,7 @@ pf_route6(struct mbuf **m, struct pf_rule *r, int dir,
struct ifnet *oifp,
PF_STATE_UNLOCK(s);
m0->m_flags |= M_SKIP_FIREWALL;
ip6_output(m0, NULL, NULL, 0, NULL, NULL, NULL);
+ *m = NULL;
return;
}
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
