[Bug 284946] pf: af-to fails when IPv4 nexthop is an IPv6 address

Reply: bugzilla-noreply_a_freebsd.org: "[Bug 284946] pf: af-to fails when IPv4 nexthop is an IPv6 address"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 21 Feb 2025 10:31:42 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=284946

            Bug ID: 284946
           Summary: pf: af-to fails when IPv4 nexthop is an IPv6 address
           Product: Base System
           Version: 15.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: lexi@hemlock.eden.le-fay.org

interface configuration:

vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0
mtu 1500
       
options=4c00bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,TXCSUM_IPV6>
        ether 52:54:00:bb:17:50
        inet 46.235.229.111/32 broadcast 46.235.229.111
        inet6 fe80::5054:ff:febb:1750%vtnet0/64 scopeid 0x1
        inet6 2a00:1098:6b::1/128
        groups: arpa
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

note that the IPv4 address is a /32.

default route:

   route to: 0.0.0.0
destination: 0.0.0.0
       mask: 0.0.0.0
    gateway: fe80::1%vtnet0
        fib: 0
  interface: vtnet0
      flags: <UP,GATEWAY,DONE>
 recvpipe  sendpipe  ssthresh  rtt,msec    mtu        weight    expire
       0         0         0         0      1500         1         0 

IPv4 connectivity works fine:

# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=57 time=1.241 ms

then i added this af-to rule:

pass in on { lf, ep.yarrow } inet6 from <lf> to 64:ff9b::/96 af-to inet from
46.235.229.111/32

when pinging 64:ff9b::1.1.1.1 from another machine, traffic appears on the
internal interface:

10:24:28.751677 IP6 2a00:1098:6b:100::2 > 64:ff9b::101:101: ICMP6, echo
request, id 4695, seq 0, length 16
10:24:29.771743 IP6 2a00:1098:6b:100::2 > 64:ff9b::101:101: ICMP6, echo
request, id 4695, seq 1, length 16
10:24:30.830451 IP6 2a00:1098:6b:100::2 > 64:ff9b::101:101: ICMP6, echo
request, id 4695, seq 2, length 16

however, the traffic disappears into a black hole; it does not appear on vtnet0
on the router or in pflog.

when this happens, the router logs:

Feb 21 10:24:28 yarrow kernel: arpresolve: can't allocate llinfo for 0.0.0.0 on
vtnet0
Feb 21 10:24:30 yarrow syslogd: last message repeated 2 times

the pf state entry:

all ipv6-icmp 46.235.229.111:4709 (2a00:1098:6b:100::2[4709]) -> 1.1.1.1:8
(64:ff9b::101:101[4709])       NO_TRAFFIC:NO_TRAFFIC

if i change the external IPv4 address to a /24 and add an IPv4 default route,
then the af-to rule starts working:

10:28:05.991764 IP 46.235.229.111 > 1.1.1.1: ICMP echo request, id 4725, seq
10, length 16
10:28:05.993141 IP 1.1.1.1 > 46.235.229.111: ICMP echo reply, id 4725, seq 10,
length 16
10:28:07.041611 IP 46.235.229.111 > 1.1.1.1: ICMP echo request, id 4725, seq
11, length 16
10:28:07.042860 IP 1.1.1.1 > 46.235.229.111: ICMP echo reply, id 4725, seq 11,
length 16
^C

and pf now has two state entries:

vtnet0 icmp 46.235.229.111:28946 -> 1.1.1.1:8       0:0
all ipv6-icmp 46.235.229.111:4725 (2a00:1098:6b:100::2[4725]) -> 1.1.1.1:8
(64:ff9b::101:101[4725])       NO_TRAFFIC:NO_TRAFFIC

however, that's the wrong configuration for this network, so i can't leave it
in place except for quick testing.

-- 
You are receiving this mail because:
You are the assignee for the bug.