kern/155945: [pf] [ip6] pf match engine is broken with ipv6

Remko Lodder remko at
Sat Mar 26 23:34:55 UTC 2011

Dear Eugene,

On Mar 26, 2011, at 9:00 PM, Eugene M. Zheganin wrote:

> The following reply was made to PR kern/155945; it has been noted by GNATS.
> From: "Eugene M. Zheganin" <eugene at>
> To: bug-followup at
> Cc:  
> Subject: Re: kern/155945: [pf] [ip6] pf match engine is broken with ipv6
> Date: Sun, 27 Mar 2011 00:12:22 +0500
> Yes, I does.
> Thank you.

You are welcome ofcourse!

> So, does this mean it's not a bug ?

No, it's not a bug.

> To be honest, I fugured out this solution by myself a few hours earlier.

:-) good work then!

> In my defense I should say that <af> is referenced in pf.conf manual 
> page only 2 times (for the whole article) and it's quite difficult to 
> fugure out that thing by myself. Earlier I encountered similar problem 
> with ipfw, which was even weirder (you have to put proto ipv6 at the end 
> of the rule, where it means 'inner proto', but not at the beginning of 
> the rule, where it means something different).

I dont know IPFW, but I do understand PF a fair bit. Most recently (in the last few days)
I added a tunnel to my PFsense box, and well it needs IPV6 connectivity
through PF.. so I was kinda cheating because I knew what meant what ;)

> I think at least documentation should be made more clear.

If it is not clear enough it might be an idea to get it more clear. The problem on our end is
that it's contributed code, from OpenBSD (by Daniel Hartmeier) and that if we are to modify
it locally, we potentially generate a lot of fuzz when someone imports a newer version, which
is what Ermal is currently doing (with Bjoern if I can recall correctly). So, we need to get this
upstream if it is really unclear/needed.

Are there others that confirm this?

> Sorry for your time; thanks for the answer.

No problem, my time wasn't wasted, because it helped you! That's the great thing about the
community, as long as it helps people, we don't mind :-)


> Eugene.
> _______________________________________________
> freebsd-pf at mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at"

/"\   Best regards,                        | remko at
\ /   Remko Lodder                      |
X    | Quis custodiet ipsos custodes
/ \   ASCII Ribbon Campaign    | Against HTML Mail and News

More information about the freebsd-pf mailing list