From owner-freebsd-pf@FreeBSD.ORG  Thu Aug 31 06:47:20 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F328016A4E1;
	Thu, 31 Aug 2006 06:47:19 +0000 (UTC) (envelope-from suz@alaxala.net)
Received: from mail4.hitachi.co.jp (mail4.hitachi.co.jp [133.145.228.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 19A1443D49;
	Thu, 31 Aug 2006 06:47:18 +0000 (GMT) (envelope-from suz@alaxala.net)
Received: from mlsv5.hitachi.co.jp (unknown [133.145.228.16])
	by mail4.hitachi.co.jp (Postfix) with ESMTP id B32DC33CC5;
	Thu, 31 Aug 2006 15:47:17 +0900 (JST)
Received: from mfilter-s5.hitachi.co.jp by mlsv5.hitachi.co.jp
	(8.12.10/8.12.10) id k7V6lHa4009097; Thu, 31 Aug 2006 15:47:17 +0900
Received: from vshuts4.hitachi.co.jp (unverified) by mfilter-s5.hitachi.co.jp 
	(Content Technologies SMTPRS 4.3.17) with SMTP id 
	<T7a71526dfa0ac906b5d1c@mfilter-s5.hitachi.co.jp>; Thu, 31 Aug 2006 
	15:47:17 +0900
Received: from gmml16.itg.hitachi.co.jp ([158.213.165.46]) by 
	vshuts4.hitachi.co.jp with SMTP id M2006083115471706974;
	Thu, 31 Aug 2006 15:47:17 +0900
Received: from flora220.uki-uki.net by gmml16.itg.hitachi.co.jp 
	(AIX5.2/8.11.6p2/8.11.0) id k7V6lDZ2715718; Thu, 31 Aug 2006 15:47:13 
	+0900
Date: Thu, 31 Aug 2006 15:47:13 +0900
Message-ID: <x7ejuxjtam.wl%suz@alaxala.net>
From: SUZUKI Shinsuke <suz@freebsd.org>
To: max@love2party.net
X-cite: xcite 1.33
In-Reply-To: <200608301339.42374.max@love2party.net>
References: <200608291637.k7TGbNxd002409@www.freebsd.org> 
	<x71wqz6n5v.wl%suz@alaxala.net> <200608301339.42374.max@love2party.net>
User-Agent: Wanderlust/2.15.1 (Almost Unreal) Emacs/22.0 Mule/5.0 (SAKAKI)
Organization: Networking Technology Development Dept., ALAXALA Networks 
	Corporation
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="us-ascii"
Cc: suz@freebsd.org, freebsd-gnats-submit@freebsd.org, freebsd-pf@freebsd.org
Subject: Re: kern/102647: Using pf stateful rules for inet6 fails
 for	connections originating from the firewall itself to a service	running
 on thesame box
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Aug 2006 06:47:20 -0000

Hi, Max.

>>>>> On Wed, 30 Aug 2006 13:39:34 +0200
>>>>> max@love2party.net(Max Laier)  said:

> another problem that maybe related.  The bottom line is that packets
> to or from local addresses never show up on bpf as they are not
> processed by lo0's input/output routines.  Do you have any idea how
> to address this?

It is a spec (bug?) of if_simloop() (net/if_loop.c), not regarding
this problem.

- The BPF of the physical interface, instead of lo0, detects the packet.
	% ping6 fe80::20c:29ff:fe54:6378%lnc2
	16 bytes from fe80::20c:29ff:fe54:6378%lnc2, icmp_seq=0 hlim=64 time=2.857 ms

	% tcpdump -X -ni lnc2
	3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42
	0x0000:  0000 020c 29ff fe54 6378 fe80 0000 0000  ....)..Tcx......
	0x0010:  0000 020c 29ff fe54 6378 8000 3c25 0bfe  ....)..Tcx..<%..
	0x0020:  0000 44f6 81de 0004 5806                 ..D.....X.
	
	3a:40:fe:80:00:00 > 60:00:00:00:00:10 Null Information, send seq 1, rcv seq 6, Flags [Command], length 42
        0x0000:  0000 020c 29ff fe54 6378 fe80 0000 0000  ....)..Tcx......
        0x0010:  0000 020c 29ff fe54 6378 8100 3b25 0bfe  ....)..Tcx..;%..
        0x0020:  0000 44f6 81de 0004 5806                 ..D.....X.
    
- if_simloop() just passes the received mbuf to the BPF of the
  physical interface in case of IPv6.  (please see the following code)
   
	if (ifp->if_bpf) {
		if (ifp->if_bpf->bif_dlt == DLT_NULL) {
			u_int32_t af1 = af;	/* XXX beware sizeof(af) != 4 */
			bpf_mtap2(ifp->if_bpf, &af1, sizeof(af1), m);
			<= this one is called in case of IPv4,
			   since ifp=lo0
		} else
			bpf_mtap(ifp->if_bpf, m);
			<= this one is normally called in case of IPv6,
			   since ifp=physical I/F and physical I/F's DLT is
			   normally DLT_EN10MB
	}

- However, due to a lack of correct layer2 header information, the BPF
  cannot display the packet correctly. (A dummy padding can partly
  solve the problem.  But it would be problematic in terms of BPF
  filtering based on layer-2 information...)
  

Thanks,
----
SUZUKI, Shinsuke @ KAME Project