netbsd-bugs: kern/13169: ipfilter does not work for IPv6 forwarding case

Subject: kern/13169: ipfilter does not work for IPv6 forwarding case
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 06/11/2001 18:19:27

>Number:         13169
>Category:       kern
>Synopsis:       ipfilter does not work for IPv6 forwarding case
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Jun 11 02:18:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     Jun-ichiro itojun Hagino
>Release:        1.5.1_BETA2 and 1.5W
>Organization:
	itojun.org
>Environment:
System: NetBSD starfruit.itojun.org 1.5W NetBSD 1.5W (STARFRUIT) #499: Fri Jun 8 08:59:55 JST 2001 itojun@starfruit.itojun.org:/usr/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386
Architecture: i386
Machine: i386
>Description:
	ipfilter hooks will not get invoked on IPv6 forwarding case.
>How-To-Repeat:
>Fix:
	something like this.  the diff was taken against the latest kame tree.
	still needs testing.

Index: ip6_forward.c
===================================================================
RCS file: /cvsroot/kame/kame/kame/sys/netinet6/ip6_forward.c,v
retrieving revision 1.70
diff -u -r1.70 ip6_forward.c
--- ip6_forward.c	2001/06/04 08:57:48	1.70
+++ ip6_forward.c	2001/06/11 09:15:57
@@ -86,6 +86,9 @@
 #if defined(IPV6FIREWALL) || (defined(__FreeBSD__) && __FreeBSD__ >= 4)
 #include <netinet6/ip6_fw.h>
 #endif
+#if defined(__NetBSD__) && defined(PFIL_HOOKS)
+#include <net/pfil.h>
+#endif
 
 #include <net/net_osdep.h>
 
@@ -596,6 +599,32 @@
 	in6_clearscope(&ip6->ip6_src);
 	in6_clearscope(&ip6->ip6_dst);
 #endif
+
+#if defined(__NetBSD__) && defined(PFIL_HOOKS)
+    {
+	struct packet_filter_hook *pfh;
+	struct mbuf *m1;
+	int rv;
+
+	/*
+	 * Run through list of hooks for output packets.
+	 */
+	m1 = m;
+	pfh = pfil_hook_get(PFIL_OUT, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
+	for (; pfh; pfh = pfh->pfil_link.tqe_next)
+		if (pfh->pfil_func) {
+		    	rv = pfh->pfil_func(ip6, sizeof(*ip6), rt->rt_ifp, 1, &m1);
+			if (rv) {
+				error = EHOSTUNREACH;
+				goto freecopy;
+			}
+			m = m1;
+			if (m == NULL)
+				goto freecopy;
+			ip6 = mtod(m, struct ip6_hdr *);
+		}
+    }
+#endif /* PFIL_HOOKS */
 
 	error = nd6_output(rt->rt_ifp, origifp, m, dst, rt);
 	if (error) {
>Release-Note:
>Audit-Trail:
>Unformatted: