[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
PF+IPv6 broken for me
I've been a long-time user of PF and IPv6. Apart from some problems with
IPv6 and modulate state it's always worked quite well for me.
Recently however, IPv6 states seem to be completely broken. Telnet from
xxxx:xxxx:xxxx:1::1:1 (NetBSD 5.0) to yyyy:yyyy:yyyy:1::2 (5.1) creates the
following states on the router (5.99.47)
vlan1 tcp yyyy:yyyy:yyyy:1::2 <- xxxx:xxxx:xxxx:1::1:1
[196436162 + 65536] wscale 3 [743966954 + 32769] wscale 3
age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 65
id: f86c694d75000000 creatorid: 7780629f
vr1 tcp xxxx:xxxx:xxxx:1::1:1 -> yyyy:yyyy:yyyy:1::2
[743966954 + 32769] wscale 3 [196436162 + 65536] wscale 3
age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 35
id: f86c694d76000000 creatorid: 7780629f
with these rules:
@35 pass out quick on vr1 inet6 all flags S/SA keep state (if-bound) tagged
@65 pass in quick on vlan1 inet6 from <allow_egress:8> to any flags S/SA keep
(if-bound) tag LAN-EXT
Immediately after establishing the connection, I get this on pflog0:
22:33:06.097421 rule 95/0(match): block in on vlan1: \
xxxx:xxxx:xxxx:1::1:1.55581 > yyyy:yyyy:yyyy:1::2.25: Flags [F.], seq
ack 1, win 8280, options [nop,nop,TS val 777 ecr 186], length 0
Rule 95 is block drop log quick all.
The ruleset is fairly simple and made up of rules like the above, passing
traffic in while tagging it and out with the correct tag - no NAT or anything.
I also have these, although scrubbing makes no difference to the problem:
set block-policy drop
set debug urgent
set skip on lo
set state-policy if-bound
#scrub random-id reassemble tcp
This ruleset has worked for years. I noticed it failing with 5.1 and now
5.99.47. Am I completely missing something here? Does PF with IPv6 really not
work or is it me?
Where to start looking?
Main Index |
Thread Index |