Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

I reproduced your case and this is what I found in dmesg. 

Apparently it is from ip6_input. RFC 4007

Joe$ dmesg
 loopback address ::1
[    74.409134] in6_setscope: can't set scope for not loopback interface wm0 and loopback address ::1
[    75.409142] in6_setscope: can't set scope for not loopback interface wm0 and loopback address ::1
[    76.412796] in6_setscope: can't set scope for not loopback interface wm0 and loopback address ::1
[    77.412841] in6_setscope: can't set scope for not loopback interface wm0 and loopback address ::1
[    78.412919] in6_setscope: can't set scope for not loopback interface wm0 and loopback address ::1
[    80.412930] in6_setscope: can't set scope for not loopback interface wm0 and loopback address ::1
[    84.412913] in6_setscope: can't set scope for not loopback interface wm0 and loopback address ::1
Joe$ 

I traced in Kernel and looks like scope is violated 
for the not lookbak loopback interface for ::1.

This happens right after filtering.

	if (in6_setscope(&ip6->ip6_src, rcvif, NULL) ||
	    in6_setscope(&ip6->ip6_dst, rcvif, NULL)) {
		IP6_STATINC(IP6_STAT_BADSCOPE);
		goto bad;
	}

Hence a valid scope violation drop by the kernel.

in in6_setscope

	if (IN6_IS_ADDR_LOOPBACK(in6)) {
		if (!(ifp->if_flags & IFF_LOOPBACK)) {
			char ip6buf[INET6_ADDRSTRLEN];
			log(LOG_NOTICE, "%s: can't set scope for not loopback "
			    "interface %s and loopback address %s\n",
			    __func__, if_name(ifp), IN6_PRINT(ip6buf, in6));
			return EINVAL;
		} else {
			if (ret_id != NULL)
				*ret_id = 0; /* there's no ambiguity */
			return 0;
		}
	}


Possible hack:

Unless we hack it in NPF to check if NATed address is loopback
then we transmit it ourself by the firewall. I don’t know how good 
of a solution that is. otherwise, you just cannot do.

Emmanuel