Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,campbell+netbsd%mumble.net@localhost
Subject: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
From: "Emmanuel Nyarko via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Wed, 29 Apr 2026 13:35:01 +0000 (UTC)

The following reply was made to PR kern/60191; it has been noted by GNATS.

From: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: kern-bug-people%netbsd.org@localhost,
 gnats-admin%netbsd.org@localhost,
 netbsd-bugs%netbsd.org@localhost,
 campbell+netbsd%mumble.net@localhost,
 "joe%netbsd.org@localhost" <joe%NetBSD.org@localhost>
Subject: Re: kern/60191: npf: map dynamic to localhost works for v4 but not
 for v6
Date: Wed, 29 Apr 2026 13:30:49 +0000

 I reproduced your case and this is what I found in dmesg.=20
 
 Apparently it is from ip6_input. RFC 4007
 
 Joe$ dmesg
  loopback address ::1
 [    74.409134] in6_setscope: can't set scope for not loopback interface =
 wm0 and loopback address ::1
 [    75.409142] in6_setscope: can't set scope for not loopback interface =
 wm0 and loopback address ::1
 [    76.412796] in6_setscope: can't set scope for not loopback interface =
 wm0 and loopback address ::1
 [    77.412841] in6_setscope: can't set scope for not loopback interface =
 wm0 and loopback address ::1
 [    78.412919] in6_setscope: can't set scope for not loopback interface =
 wm0 and loopback address ::1
 [    80.412930] in6_setscope: can't set scope for not loopback interface =
 wm0 and loopback address ::1
 [    84.412913] in6_setscope: can't set scope for not loopback interface =
 wm0 and loopback address ::1
 Joe$=20
 
 I traced in Kernel and looks like scope is violated=20
 for the not lookbak loopback interface for ::1.
 
 This happens right after filtering.
 
 	if (in6_setscope(&ip6->ip6_src, rcvif, NULL) ||
 	    in6_setscope(&ip6->ip6_dst, rcvif, NULL)) {
 		IP6_STATINC(IP6_STAT_BADSCOPE);
 		goto bad;
 	}
 
 Hence a valid scope violation drop by the kernel.
 
 in in6_setscope
 
 	if (IN6_IS_ADDR_LOOPBACK(in6)) {
 		if (!(ifp->if_flags & IFF_LOOPBACK)) {
 			char ip6buf[INET6_ADDRSTRLEN];
 			log(LOG_NOTICE, "%s: can't set scope for not =
 loopback "
 			    "interface %s and loopback address %s\n",
 			    __func__, if_name(ifp), IN6_PRINT(ip6buf, =
 in6));
 			return EINVAL;
 		} else {
 			if (ret_id !=3D NULL)
 				*ret_id =3D 0; /* there's no ambiguity =
 */
 			return 0;
 		}
 	}
 
 
 Possible hack:
 
 Unless we hack it in NPF to check if NATed address is loopback
 then we transmit it ourself by the firewall. I don=E2=80=99t know how =
 good=20
 of a solution that is. otherwise, you just cannot do.
 
 Emmanuel

Prev by Date: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Next by Date: PR/58648 CVS commit: src/crypto/external/bsd/openssh/lib
Previous by Thread: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Next by Thread: kern/60192: consider mentioning GPT partition tables in handbook installation and cgd chapters
Indexes:

Home | Main Index | Thread Index | Old Index