On Wed, Feb 02, 2011 at 04:14:01PM +0100, Mike Belopuhov wrote:
> hi, in pf_translate, when we're changing addresses for the icmp messages
> there's an unjustified fallthrough in the IPPROTO_ICMPV6 case. in fact
> this doesn't seem to harm anything because default case performs the
> same operation. note that pd->ip_sum is null in ipv6 case so pf_change_a6
> just punches a translation address to the packet with PF_ACPY.
>
> henning@ agrees that this fallthrough was introduced by mistake, but we
> won't mind if somebody with pf knowledge will glance through the code.
I think there is a missing check and fallthrough in the icmp case.
The logic should be
if (proto == tcp) {
} else if (proto == udp) {
} else if (proto == icmp && af == inet) {
} else if (proto == icmp6 && af == inet6) {
} else {
}
The current code would do icmp processing for an ipv6 packet with
protocol 1. Such a packet is strange but it should not get special
translation treatment.
bluhm
