From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 20:03:25 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C392416A4CE for ; Sat, 4 Dec 2004 20:03:25 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D5E1543D5C for ; Sat, 4 Dec 2004 20:03:22 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) iB4K3Fo3016580 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 4 Dec 2004 21:03:15 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.1/8.12.10/Submit) id iB4K3Eug011660; Sat, 4 Dec 2004 21:03:14 +0100 (MET) Date: Sat, 4 Dec 2004 21:03:13 +0100 From: Daniel Hartmeier To: Bernhard Schmidt Message-ID: <20041204200312.GE32076@insomnia.benzedrine.cx> References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.4.1i cc: freebsd-pf@freebsd.org Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 20:03:25 -0000 On Sat, Dec 04, 2004 at 02:34:03AM +0000, Bernhard Schmidt wrote: > http://www.birkenwald.de/~berni/tmp/mld.dump The decoded packet looks sane: Dec 04 03:32:09.031473 0:e0:18:f4:5c:37 33:33:0:0:88:88 86dd 86: fe80::2e0:18ff:fef4:5c37 > ff1e::8888: HBH (rtalert: 0x0000) icmp6: multicast listener report max resp delay: 0 addr: ff1e::8888 [hlim 1] (len 32) 0000: 6000 0000 0020 0001 fe80 0000 0000 0000 `.... ..þ....... 0010: 02e0 18ff fef4 5c37 ff1e 0000 0000 0000 .à.ÿþô\7ÿ....... 0020: 0000 0000 0000 8888 3a00 0502 0000 0100 ........:....... 0030: 8300 f7d1 0000 0000 ff1e 0000 0000 0000 ..÷Ñ....ÿ....... 0040: 0000 0000 0000 8888 ........ IPv6 header (ip6_hdr) ip6_flow 0x6000 0000 ip6_plen 0x0020 ip6_nxt 0x00 (IPPROTO_HOPOPTS) ip6_hlim 0x01 ip6_src 0xfe80 0000 0000 0000 02e0 18ff fef4 5c37 ip6_dst 0xff1e 0000 0000 0000 0000 0000 0000 8888 Extention header (ip6_ext) ip6e_nxt 0x3a (IPPROTO_ICMPV6) ip6e_len 0x00 (8 bytes) ip6_opt ip6o_type 0x05 (IP6OPT_ROUTER_ALERT) ip6o_len 0x02 ip6or_value 0x0000 (IP6_ALERT_MLD) ICMPV6 (icmp6_hdr) icmp6_type 0x83 (MLD_LISTENER_REPORT) icmp6_code 0x00 icmp6_cksum 0xf7d1 (mld_hdr) mld_maxdelay 0x0000 mld_reserved 0x0000 mld_addr 0xff1e 0000 0000 0000 0000 0000 0000 8888 This should not be dropped, at least I can't spot where it would be. Can you make sure that you don't get _anything_ in /var/log/message with pfctl -xm when such a packet is dropped? If you compare pfctl -si counter before and after a drop, do any of them increase? This makes sure we're looking in the right places. Thanks. Daniel