Re: PF+IPv6 broken for me

[Jarek Poplawski <jarkao2%gmail.com@localhost>]

Nino Dehne wrote:
> Hi,
> 
> I've been a long-time user of PF and IPv6. Apart from some problems with
> IPv6 and modulate state it's always worked quite well for me.
> 
> Recently however, IPv6 states seem to be completely broken. Telnet from
> xxxx:xxxx:xxxx:1::1:1 (NetBSD 5.0) to yyyy:yyyy:yyyy:1::2 (5.1) creates the
> following states on the router (5.99.47)
> 
> vlan1 tcp yyyy:yyyy:yyyy:1::2[25] <- xxxx:xxxx:xxxx:1::1:1[55622] 
> SYN_SENT:ESTABLISHED
>    [196436162 + 65536] wscale 3  [743966954 + 32769] wscale 3
>    age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 65
>    id: f86c694d75000000 creatorid: 7780629f
> vr1 tcp xxxx:xxxx:xxxx:1::1:1[55622] -> yyyy:yyyy:yyyy:1::2[25] 
> ESTABLISHED:SYN_SENT
>    [743966954 + 32769] wscale 3  [196436162 + 65536] wscale 3
>    age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 35
>    id: f86c694d76000000 creatorid: 7780629f
> 
> with these rules:
> 
> @35 pass out quick on vr1 inet6 all flags S/SA keep state (if-bound) tagged 
> LAN-EXT
> @65 pass in quick on vlan1 inet6 from <allow_egress:8> to any flags S/SA keep 
> state \
>       (if-bound) tag LAN-EXT
> 
> Immediately after establishing the connection, I get this on pflog0:
> 
> 22:33:06.097421 rule 95/0(match): block in on vlan1: \
>       xxxx:xxxx:xxxx:1::1:1.55581 > yyyy:yyyy:yyyy:1::2.25: Flags [F.], seq 
> 0, \
>       ack 1, win 8280, options [nop,nop,TS val 777 ecr 186], length 0
> 
> Rule 95 is block drop log quick all.
...
> This ruleset has worked for years. I noticed it failing with 5.1 and now
> 5.99.47. Am I completely missing something here? Does PF with IPv6 really not
> work or is it me?
> 
> Where to start looking?

Did you notice the blocked packet's source port number is different
from the established?

Regards,
Jarek P.