On 1-8-2011 23:59, Alexander Bluhm wrote: > On Wed, Jul 27, 2011 at 12:44:21AM +0200, Alexander Bluhm wrote: >> On Fri, May 20, 2011 at 11:54:09AM +0200, Camiel Dobbelaar wrote: >>> I'll spend some more time on this, but maybe there's an IPv6 guru that >>> can lend a hand? :-) >> >> Just removing the check seems wrong to me. This would allow ::1 >> addresses from the wire. Also the goto hbhcheck would get lost. > > I have reconsidered the existing loopback check in ip6_input(). It > is wrong. The check that ::1 is not allowed from the wire must be > before pf_test(). Otherwise pf could reroute or redirect such a > packet. > > KAME moved the check in rev 1.189 of their ip6_input.c. They also > removed the special goto ours logic for ::1. I do not change that > now before release so leave the goto where it is. > > Redirect or nat to ::1 should work with this diff. But I still > believe that divert-to is more suitable for that. > > ok?
Fixes the problem for me. And looks correct according to that KAME rev. (and I agree with the remark about the divert-to, I'll prepare a manpage ipv6 example for ftp-proxy) -- Cam
