pfil hooks can modify packet contents so check if the destination

address has been changed when PFIL_HOOKS is enabled and, if it has, arrange for the proper action by ip*_forward. Submitted by: Pyun YongHyeon Supported by: FreeBSD Foundation
2026-06-09 08:43:19 -04:00 · 2003-10-16 18:57:45 +00:00 · 2003-10-16 18:57:45 +00:00 · 3c92002f24
commit 3c92002f24
parent 034d260750
1 changed files with 11 additions and 1 deletions
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@ -247,6 +247,10 @@ ip6_input(m)
 	int nxt, ours = 0;
 	struct ifnet *deliverifp = NULL;

+#ifdef PFIL_HOOKS
+	struct in6_addr odst;
+#endif
+	int srcrt = 0;
 #ifdef IPSEC
 	/*
 	 * should the inner packet be considered authentic?
@ -346,7 +350,12 @@ ip6_input(m)
 		return;
 	if (m == NULL)			/* consumed by filter */
 		return;
+	 *
+	 * NB: Beware of the destination address changing
+	 *     (e.g. by NAT rewriting).  When this happens,
+	 *     tell ip6_forward to do the right thing.
 	ip6 = mtod(m, struct ip6_hdr *);
+	odst = ip6->ip6_dst;
 #endif /* PFIL_HOOKS */

 	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
@ -356,6 +365,7 @@ ip6_input(m)
 	 */
 	if (ip6_fw_enable && ip6_fw_chk_ptr) {
 		u_short port = 0;
+	srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
 		/* If ipfw says divert, we have to just drop packet */
 		/* use port as a dummy argument */
 		if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
@ -710,7 +720,7 @@ ip6_input(m)
 			return;
 		}
 	} else if (!ours) {
-		ip6_forward(m, 0);
+		ip6_forward(m, srcrt);
 		return;
 	}