On Fri, Nov 17, 2006 at 05:17:22PM -0500, Steven M. Bellovin wrote:
> On Fri, 17 Nov 2006 16:02:31 -0600, David Young <dyoung@pobox.com> wrote:
> 
> > The departure of IPv6 interfaces does not agree with pf.  The pfil hooks
> > that signal the interface's departure run before IPv6 sends messages
> > to indicate that it is leaving its multicast groups; when pf filters
> > the departure messages, it does not recognize the output interface,
> > so it complains at the departure of gre65, for example:
> > 
> > pf_test6: kif == NULL, if_xname gre65
> 
> That works in v4, at least with no multicast running.  I use pf filters
> for ppp interfaces; I see the message but no further trouble when pppd
> ends.

pf_test6 returns PF_DROP after it prints that message, so it blocks the
packets that IPv6 tries to send as it removes addresses and multicast
memberships from an interface.  That will surprise somebody, someday.
It seems to me that we need to remove the pfil hooks after calling the
protocol purge routines in if_detach().  I wonder if we will lose for
some other reason if I move the hook removal?

Dave

-- 
David Young             OJC Technologies
dyoung@ojctech.com      Urbana, IL * (217) 278-3933