[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-pf
Subject: "(self)" not always mathing all local IPv6 addresses
From: Christian Laursen <xi () borderworlds ! dk>
Date: 2010-04-06 18:12:58
Message-ID: 4BBB79AA.7040600 () borderworlds ! dk
[Download RAW message or body]
Hello,
I have tripped over what I believe is a bug in pf.
On my test machine I have this fairly simple ruleset:
===============================================
set block-policy return
set skip on lo0
block in all
pass out proto { tcp, udp } all keep state
pass in proto {icmp,icmp6} all
pass out proto {icmp,icmp6} all
pass in proto tcp from any to (self) port 22
===============================================
After booting the machine ifconfig for em0 looks like this:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:73:96:a9
inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
The problem is that when I try to ssh to the machine the connection is
not allowed through:
[xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection
refused
I have tried various things when I tried to figure out what is going on
here. In this case it helps to add another IPv6 address to em0:
ifconfig em0 inet6 2001:6c8:6:6::2
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:73:96:a9
inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
inet6 2001:6c8:6:6::2 prefixlen 64
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
After doing this, ssh works:
[xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
Last login: Tue Apr 6 21:56:48 2010 from 10.1.0.2
I have observed this problem on 7.3, 8.0 and -CURRENT less than a week old.
I can mention that changing "(self)" to "self" in the ruleset works as
expected and the problem returns when changing it back.
When I see this behaviour, it can also be "fixed" by adding another
interface, eg. "ifconfig gif0 create".
I hope that this makes sense and that someone more familiar with the
inner workings of pf is able to reproduce it. I like using "(self)" but
when it doesn't work reliably I'm forced to resort to workarounds.
If I need to provide more info, I'll be happy to do so.
Thanks in advance.
--
Christian Laursen
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic