From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 12 21:11:34 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 96E66106568B
	for <freebsd-pf@freebsd.org>; Sat, 12 Dec 2009 21:11:34 +0000 (UTC)
	(envelope-from zion@x96.org)
Received: from x96.org (astellm-1-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:754::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 75F1A8FC08
	for <freebsd-pf@freebsd.org>; Sat, 12 Dec 2009 21:11:34 +0000 (UTC)
Received: from x96.org (unknown [192.168.69.6])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by x96.org (Postfix) with ESMTPSA id 2D8854C240
	for <freebsd-pf@freebsd.org>; Sat, 12 Dec 2009 13:11:32 -0800 (PST)
Date: Sat, 12 Dec 2009 13:11:28 -0800
From: Aaron Stellman <zion@x96.org>
To: freebsd-pf@freebsd.org
Message-ID: <20091212211128.GA28@x96.org>
References: <20091212012507.GD27716@x96.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20091212012507.GD27716@x96.org>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: IPv6, PF problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2009 21:11:34 -0000

Hello there,

> What does "pfctl -vvsr" give you for the rule?  It should include the number 
> of addresses assigned to the interface in the braces - e.g. "...  (bge0:4) ..."

@8 pass in on bge0 proto tcp from any to (bge0:4) port = ftp flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 79900 ]

> In addition, can you try to add separate rules for inet and inet6 - i.e.
> 
> pass in on $ext_if inet  proto tcp to ($ext_if) port 21
> pass in on $ext_if inet6 proto tcp to ($ext_if) port 21

@8 pass in on bge0 inet proto tcp from any to (bge0:2) port = ftp flags S/SA keep state
  [ Evaluations: 1         Packets: 17        Bytes: 916         States: 1     ]
  [ Inserted: uid 0 pid 80198 ]
@9 pass in on bge0 inet6 proto tcp from any to (bge0:2) port = ftp flags S/SA keep state
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 80198 ]

and it passes inet6 connection with these two rules. Do you consider it
a bug? This essentially forces me to have 2 separate rules for inet and
inet6.
Thanks