kern/146832: [pf] "(self)" not always mathing all local IPv6
addresses
Christian Laursen
xi at borderworlds.dk
Sat May 22 15:10:01 UTC 2010
>Number: 146832
>Category: kern
>Synopsis: [pf] "(self)" not always mathing all local IPv6 addresses
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat May 22 15:10:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Christian Laursen
>Release: FreeBSD 8.0-RELEASE-p2 amd64
>Organization:
The Border Worlds
>Environment:
System: FreeBSD talaxian.borderworlds.dk 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #4: Thu Jan 7 21:11:54 CET 2010 root at talaxian.borderworlds.dk:/usr/obj/usr/src/sys/TALAXIAN amd64
>Description:
I have tripped over what I believe is a bug in pf.
On my test machine I have this fairly simple ruleset:
===============================================
set block-policy return
set skip on lo0
block in all
pass out proto { tcp, udp } all keep state
pass in proto {icmp,icmp6} all
pass out proto {icmp,icmp6} all
pass in proto tcp from any to (self) port 22
===============================================
After booting the machine ifconfig for em0 looks like this:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:73:96:a9
inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
The problem is that when I try to ssh to the machine the connection is not allowed through:
[xi at talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection refused
I have tried various things when I tried to figure out what is going on here. In this case it helps to add another IPv6 address to em0:
ifconfig em0 inet6 2001:6c8:6:6::2
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 08:00:27:73:96:a9
inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
inet6 2001:6c8:6:6::2 prefixlen 64
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
After doing this, ssh works:
[xi at talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
Last login: Tue Apr 6 21:56:48 2010 from 10.1.0.2
I have observed this problem on 7.3, 8.0 and -CURRENT (From april 1).
I can mention that changing "(self)" to "self" in the ruleset works as expected and the problem returns when changing it back.
When I see this behaviour, it can also be "fixed" by adding another interface, eg. "ifconfig gif0 create".
I hope that this makes sense and that someone more familiar with the inner workings of pf is able to reproduce it. I like using "(self)" but when it doesn't work reliably I'm forced to resort to workarounds.
If I need to provide more info, I'll be happy to do so.
Thanks in advance.
>How-To-Repeat:
Use "(self)" in your pf ruleset along with IPv6.
I have not been able to figure out exactly when this behaviour is triggered but it has happened to me often
enough to be annoying.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list