From 104396b82e345d5a0940c3e056b20484c180e6fa Mon Sep 17 00:00:00 2001
From: sam <sam@FreeBSD.org>
Date: Thu, 16 Oct 2003 18:57:45 +0000
Subject: pfil hooks can modify packet contents so check if the destination
 address has been changed when PFIL_HOOKS is enabled and, if it has, arrange
 for the proper action by ip*_forward.

Submitted by:	Pyun YongHyeon
Supported by:	FreeBSD Foundation
---
 sys/netinet6/ip6_input.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'sys/netinet6/ip6_input.c')

diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index cc6f842..3f2c9cb 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -247,6 +247,10 @@ ip6_input(m)
 	int nxt, ours = 0;
 	struct ifnet *deliverifp = NULL;
 
+#ifdef PFIL_HOOKS
+	struct in6_addr odst;
+#endif
+	int srcrt = 0;
 #ifdef IPSEC
 	/*
 	 * should the inner packet be considered authentic?
@@ -346,7 +350,12 @@ ip6_input(m)
 		return;
 	if (m == NULL)			/* consumed by filter */
 		return;
+	 *
+	 * NB: Beware of the destination address changing
+	 *     (e.g. by NAT rewriting).  When this happens,
+	 *     tell ip6_forward to do the right thing.
 	ip6 = mtod(m, struct ip6_hdr *);
+	odst = ip6->ip6_dst;
 #endif /* PFIL_HOOKS */
 
 	ip6stat.ip6s_nxthist[ip6->ip6_nxt]++;
@@ -356,6 +365,7 @@ ip6_input(m)
 	 */
 	if (ip6_fw_enable && ip6_fw_chk_ptr) {
 		u_short port = 0;
+	srcrt = !IN6_ARE_ADDR_EQUAL(&odst, &ip6->ip6_dst);
 		/* If ipfw says divert, we have to just drop packet */
 		/* use port as a dummy argument */
 		if ((*ip6_fw_chk_ptr)(&ip6, NULL, &port, &m)) {
@@ -710,7 +720,7 @@ ip6_input(m)
 			return;
 		}
 	} else if (!ours) {
-		ip6_forward(m, 0);
+		ip6_forward(m, srcrt);
 		return;
 	}	
 
-- 
cgit v1.1