Regression with jails/IPv6/pf
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Wed Aug 1 17:13:34 UTC 2012
On Thu, 26 Jul 2012, Matthew Seaman wrote:
Hi,
as there have been more people having problems with pf and IPv6 after
the changes I am replying to stable@ cc: pf at .
...
> [...]
>
> nat on $ext_if_plus from $xenophobe_int to any -> $xenophobe_ext
> rdr inet6 proto tcp from <localnets> to $xenophobe_ext \
> port { 22, 80, 443, 548, 4700 } -> $xenophobe_int
>
> When trying to ssh into the jail with a kernel exhibiting this problem,
> tcpdump showed that traffic was reaching the sshd in the jail and
> responses were being generated, but they didn't make it out onto the net.
Any of you who are expereincing problems with packets dropped due to
invalid checksums with IPv6 and pf after the recent merges, can you
report back if you also see this without "modulate state" in your
pf.conf (if you have 'modulate' in there, can you try changing it to
'keep' and see if that fixes the problem)?
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
More information about the freebsd-stable
mailing list