there have been reports of panics with pfsync defer combined with
ipv6 traffic. ive been over the pfsync code repeatedly trying to
find out where it treats ipv4 and ipv6 differently without any luck.
i just had a lightbulb moment literally minutes ago and came up
with the code below. turns out that you SHOULD treat v4 and v6
differently in some cases...
i would appreciate testing of this change.
cheers,
dlg
Index: if_pfsync.c
===================================================================
RCS file: /cvs/src/sys/net/if_pfsync.c,v
retrieving revision 1.160
diff -u -p -r1.160 if_pfsync.c
--- if_pfsync.c 11 Jan 2011 08:33:27 -0000 1.160
+++ if_pfsync.c 2 Mar 2011 07:53:01 -0000
@@ -74,7 +74,11 @@
#endif
#ifdef INET6
+#include <netinet/ip6.h>
+#include <netinet/in_pcb.h>
+#include <netinet/icmp6.h>
#include <netinet6/nd6.h>
+#include <netinet6/ip6_divert.h>
#endif /* INET6 */
#include "carp.h"
@@ -1745,8 +1749,18 @@ pfsync_undefer(struct pfsync_deferral *p
if (drop)
m_freem(pd->pd_m);
else {
- ip_output(pd->pd_m, (void *)NULL, (void *)NULL, 0,
- (void *)NULL, (void *)NULL);
+ switch (pd->pd_st->key[PF_SK_WIRE]->af) {
+#ifdef INET
+ case AF_INET:
+ ip_output(pd->pd_m, NULL, NULL, 0, NULL, NULL);
+ break;
+#endif /* INET */
+#ifdef INET6
+ case AF_INET6:
+ ip6_output(pd->pd_m, NULL, NULL, 0, NULL, NULL, NULL);
+ break;
+#endif /* INET6 */
+ }
}
pool_put(&sc->sc_pool, pd);
