Date: Sat, 22 May 2010 17:03:44 +0200 (CEST) From: Christian Laursen <xi@borderworlds.dk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: kern/146832: [pf] "(self)" not always mathing all local IPv6 addresses Message-ID: <20100522150344.9C352171A6@talaxian.borderworlds.dk> Resent-Message-ID: <201005221510.o4MFA1wg084907@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 146832 >Category: kern >Synopsis: [pf] "(self)" not always mathing all local IPv6 addresses >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat May 22 15:10:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Christian Laursen >Release: FreeBSD 8.0-RELEASE-p2 amd64 >Organization: The Border Worlds >Environment: System: FreeBSD talaxian.borderworlds.dk 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #4: Thu Jan 7 21:11:54 CET 2010 root@talaxian.borderworlds.dk:/usr/obj/usr/src/sys/TALAXIAN amd64 >Description: I have tripped over what I believe is a bug in pf. On my test machine I have this fairly simple ruleset: =============================================== set block-policy return set skip on lo0 block in all pass out proto { tcp, udp } all keep state pass in proto {icmp,icmp6} all pass out proto {icmp,icmp6} all pass in proto tcp from any to (self) port 22 =============================================== After booting the machine ifconfig for em0 looks like this: em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active The problem is that when I try to ssh to the machine the connection is not allowed through: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection refused I have tried various things when I tried to figure out what is going on here. In this case it helps to add another IPv6 address to em0: ifconfig em0 inet6 2001:6c8:6:6::2 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf inet6 2001:6c8:6:6::2 prefixlen 64 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active After doing this, ssh works: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 Last login: Tue Apr 6 21:56:48 2010 from 10.1.0.2 I have observed this problem on 7.3, 8.0 and -CURRENT (From april 1). I can mention that changing "(self)" to "self" in the ruleset works as expected and the problem returns when changing it back. When I see this behaviour, it can also be "fixed" by adding another interface, eg. "ifconfig gif0 create". I hope that this makes sense and that someone more familiar with the inner workings of pf is able to reproduce it. I like using "(self)" but when it doesn't work reliably I'm forced to resort to workarounds. If I need to provide more info, I'll be happy to do so. Thanks in advance. >How-To-Repeat: Use "(self)" in your pf ruleset along with IPv6. I have not been able to figure out exactly when this behaviour is triggered but it has happened to me often enough to be annoying. >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100522150344.9C352171A6>