On Wed, Mar 14, 2012 at 03:32:08PM +0900, YASUOKA Masahiko wrote:
> Hi,
>
> In ip_input(), there is a filter to disable all packets to 127.0.0.0/27.
> That filter drops a packet that was a transport-mode ESP packet and
> that has been redirected to 127.0.0.1 with pf `rdr-to' rule.
>
> Below diff will fix the filter not to drop such packets.
>
> ok? or comment?
>
> The problem was found by Alexis san. He are trying to configure npppd
> and isakmpd to listen on 127.0.0.1 and pf to redirect packets to local
> (carp) address with `rdr-to' rule.
Does it work when you use divert-to instead of rdr-to?
>
> Index: sys/netinet/ip_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.195
> diff -u -p -r1.195 ip_input.c
> --- sys/netinet/ip_input.c 6 Jul 2011 02:42:28 -0000 1.195
> +++ sys/netinet/ip_input.c 14 Mar 2012 06:29:09 -0000
> @@ -303,7 +303,11 @@ ipv4_input(struct mbuf *m)
> /* 127/8 must not appear on wire - RFC1122 */
> if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET ||
> (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) {
> - if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
> + if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0
> +#if NPF > 0
> + && !ISSET(m->m_pkthdr.pf.flags, PF_TAG_TRANSLATE_LOCALHOST)
> +#endif
> + ) {
> ipstat.ips_badaddr++;
> goto bad;
> }
