Nino Dehne
2011-02-26 22:00:11 UTC
Hi,
I've been a long-time user of PF and IPv6. Apart from some problems with
IPv6 and modulate state it's always worked quite well for me.
Recently however, IPv6 states seem to be completely broken. Telnet from
xxxx:xxxx:xxxx:1::1:1 (NetBSD 5.0) to yyyy:yyyy:yyyy:1::2 (5.1) creates the
following states on the router (5.99.47)
vlan1 tcp yyyy:yyyy:yyyy:1::2[25] <- xxxx:xxxx:xxxx:1::1:1[55622] SYN_SENT:ESTABLISHED
[196436162 + 65536] wscale 3 [743966954 + 32769] wscale 3
age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 65
id: f86c694d75000000 creatorid: 7780629f
vr1 tcp xxxx:xxxx:xxxx:1::1:1[55622] -> yyyy:yyyy:yyyy:1::2[25] ESTABLISHED:SYN_SENT
[743966954 + 32769] wscale 3 [196436162 + 65536] wscale 3
age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 35
id: f86c694d76000000 creatorid: 7780629f
with these rules:
@35 pass out quick on vr1 inet6 all flags S/SA keep state (if-bound) tagged LAN-EXT
@65 pass in quick on vlan1 inet6 from <allow_egress:8> to any flags S/SA keep state \
(if-bound) tag LAN-EXT
Immediately after establishing the connection, I get this on pflog0:
22:33:06.097421 rule 95/0(match): block in on vlan1: \
xxxx:xxxx:xxxx:1::1:1.55581 > yyyy:yyyy:yyyy:1::2.25: Flags [F.], seq 0, \
ack 1, win 8280, options [nop,nop,TS val 777 ecr 186], length 0
Rule 95 is block drop log quick all.
The ruleset is fairly simple and made up of rules like the above, passing
traffic in while tagging it and out with the correct tag - no NAT or anything.
I also have these, although scrubbing makes no difference to the problem:
# Options
set block-policy drop
set debug urgent
set skip on lo
set state-policy if-bound
# Scrub
#scrub random-id reassemble tcp
scrub random-id
This ruleset has worked for years. I noticed it failing with 5.1 and now
5.99.47. Am I completely missing something here? Does PF with IPv6 really not
work or is it me?
Where to start looking?
Regards
ND
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
I've been a long-time user of PF and IPv6. Apart from some problems with
IPv6 and modulate state it's always worked quite well for me.
Recently however, IPv6 states seem to be completely broken. Telnet from
xxxx:xxxx:xxxx:1::1:1 (NetBSD 5.0) to yyyy:yyyy:yyyy:1::2 (5.1) creates the
following states on the router (5.99.47)
vlan1 tcp yyyy:yyyy:yyyy:1::2[25] <- xxxx:xxxx:xxxx:1::1:1[55622] SYN_SENT:ESTABLISHED
[196436162 + 65536] wscale 3 [743966954 + 32769] wscale 3
age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 65
id: f86c694d75000000 creatorid: 7780629f
vr1 tcp xxxx:xxxx:xxxx:1::1:1[55622] -> yyyy:yyyy:yyyy:1::2[25] ESTABLISHED:SYN_SENT
[743966954 + 32769] wscale 3 [196436162 + 65536] wscale 3
age 00:00:08, expires in 00:00:23, 1:1 pkts, 84:84 bytes, rule 35
id: f86c694d76000000 creatorid: 7780629f
with these rules:
@35 pass out quick on vr1 inet6 all flags S/SA keep state (if-bound) tagged LAN-EXT
@65 pass in quick on vlan1 inet6 from <allow_egress:8> to any flags S/SA keep state \
(if-bound) tag LAN-EXT
Immediately after establishing the connection, I get this on pflog0:
22:33:06.097421 rule 95/0(match): block in on vlan1: \
xxxx:xxxx:xxxx:1::1:1.55581 > yyyy:yyyy:yyyy:1::2.25: Flags [F.], seq 0, \
ack 1, win 8280, options [nop,nop,TS val 777 ecr 186], length 0
Rule 95 is block drop log quick all.
The ruleset is fairly simple and made up of rules like the above, passing
traffic in while tagging it and out with the correct tag - no NAT or anything.
I also have these, although scrubbing makes no difference to the problem:
# Options
set block-policy drop
set debug urgent
set skip on lo
set state-policy if-bound
# Scrub
#scrub random-id reassemble tcp
scrub random-id
This ruleset has worked for years. I noticed it failing with 5.1 and now
5.99.47. Am I completely missing something here? Does PF with IPv6 really not
work or is it me?
Where to start looking?
Regards
ND
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de