From owner-freebsd-pf@FreeBSD.ORG Sat Dec 4 20:24:46 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 34C8716A4CE for ; Sat, 4 Dec 2004 20:24:46 +0000 (GMT) Received: from mx02.mucip.net (mx02.mucip.net [81.92.162.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94C8A43D2D for ; Sat, 4 Dec 2004 20:24:45 +0000 (GMT) (envelope-from berni@birkenwald.de) Received: from localhost (localhost [127.0.0.1]) by mx02.mucip.net (Postfix) with ESMTP id E63D3520C; Sat, 4 Dec 2004 21:24:43 +0100 (CET) Received: from mx02.mucip.net ([127.0.0.1])10024) with ESMTP id 23955-02; Sat, 4 Dec 2004 21:24:43 +0100 (CET) Received: from cholera.birkenwald.intern (cholera.ipv6.birkenwald.de [IPv6:2001:a60:f001:1:2e0:18ff:fef4:5c37]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mailout.mucip.net (Postfix) with ESMTP id 40502520B; Sat, 4 Dec 2004 21:24:43 +0100 (CET) From: Bernhard Schmidt To: Daniel Hartmeier In-Reply-To: <20041204200312.GE32076@insomnia.benzedrine.cx> References: <20041204200312.GE32076@insomnia.benzedrine.cx> Content-Type: text/plain Date: Sat, 04 Dec 2004 21:24:42 +0100 Message-Id: <1102191882.12613.39.camel@cholera> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at mucip.net cc: freebsd-pf@freebsd.org Subject: Re: IPv6 MLD packets blocked X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Dec 2004 20:24:46 -0000 Hi, > > http://www.birkenwald.de/~berni/tmp/mld.dump > > The decoded packet looks sane: [...] > This should not be dropped, at least I can't spot where it would be. > > Can you make sure that you don't get _anything_ in /var/log/message with > pfctl -xm when such a packet is dropped? Nothing, I kept it running that way and the only kernel messages I got so far are Dec 4 20:16:51 heimdall kernel: pf_map_addr: selected address 62.245.160.121 with my regular ruleset which is probably NATing or something like that. > If you compare pfctl -si counter before and after a drop, do any of > them increase? I'll have to offload some traffic from the box, unfortunately it has the PPP connection (to my provider) and no display. I could disconnect PPP, but I would still have ssh (probably counting). I can say though that the following counters bad-offset 0 0.0/s fragment 4 0.0/s short 158 0.0/s normalize 0 0.0/s memory 8 0.0/s do not increase when a report is dropped. I can say quite sure that the match counter doesn't increase also (I run the command before and after I sent a packet, if the update of the counter is sufficiently fast it is not in there) and that there is no state for this packet. BTW, I've opened a PR for that, misc/74683 Bernhard