From nobody Mon Feb 07 18:10:16 2022
X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 45E99195C545
	for <freebsd-pf@mlmmj.nyi.freebsd.org>; Mon,  7 Feb 2022 18:10:31 +0000 (UTC)
	(envelope-from meka@tilda.center)
Received: from c3po.tilda.center (c3po.tilda.center [108.61.164.129])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JsvM94gV6z4dGZ
	for <freebsd-pf@freebsd.org>; Mon,  7 Feb 2022 18:10:29 +0000 (UTC)
	(envelope-from meka@tilda.center)
Received: from tilda.center (178-220-5-137.static.isp.telekom.rs [178.220.5.137])
	by c3po.tilda.center (Postfix) with ESMTPSA id BB7F61C5DB
	for <freebsd-pf@freebsd.org>; Mon,  7 Feb 2022 19:10:26 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tilda.center;
	s=c3po; t=1644257426;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=qQvrk4e3Lt4q0xWUZBEubRiUY1SbAbnhOD9c/akV/sY=;
	b=NWxGHNqeoEv9y2RpzHJzxP7qdYHz9kjJa7u7VmUATnGv5SIH06sULKe4AdUcIZ/n7cJGi3
	sx/dkyorKUaMYDvRbk2HUPJKY9orvWP1lbZDQ1hmJ/9mGhP7m1wfryjB/sR5jnrxyOHl7Q
	NPNfnOiTG36U6srgv66fpB+1sW8dY5Y=
Date: Mon, 7 Feb 2022 19:10:16 +0100
From: Goran =?utf-8?B?TWVracSH?= <meka@tilda.center>
To: freebsd-pf@freebsd.org
Subject: Re: IPv6 and NAT
Message-ID: <20220207181016.7yp42a7cdqb3lqy3@tilda.center>
References: <20220207094154.fx23xi4i6volsqt7@tilda.center>
List-Id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-pf
List-Help: <mailto:pf+help@freebsd.org>
List-Post: <mailto:pf@freebsd.org>
List-Subscribe: <mailto:pf+subscribe@freebsd.org>
List-Unsubscribe: <mailto:pf+unsubscribe@freebsd.org>
Sender: owner-freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="ktxz2p3hn3ydn2nh"
Content-Disposition: inline
In-Reply-To: <20220207094154.fx23xi4i6volsqt7@tilda.center>
X-Rspamd-Queue-Id: 4JsvM94gV6z4dGZ
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	dkim=fail ("headers rsa verify failed") header.d=tilda.center header.s=c3po header.b=NWxGHNqe;
	dmarc=pass (policy=reject) header.from=tilda.center;
	spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 108.61.164.129 as permitted sender) smtp.mailfrom=meka@tilda.center
X-Spamd-Result: default: False [-4.13 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 ARC_NA(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 R_SPF_ALLOW(-0.20)[+mx];
	 MIME_GOOD(-0.20)[multipart/signed,text/plain];
	 TO_DN_NONE(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org];
	 RCPT_COUNT_ONE(0.00)[1];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 NEURAL_HAM_MEDIUM(-0.92)[-0.920];
	 R_DKIM_REJECT(0.00)[tilda.center:s=c3po];
	 DKIM_TRACE(0.00)[tilda.center:-];
	 DMARC_POLICY_ALLOW(0.00)[tilda.center,reject];
	 NEURAL_HAM_SHORT(-0.14)[-0.142];
	 DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	 MLMMJ_DEST(0.00)[freebsd-pf];
	 SIGNED_PGP(-2.00)[];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+,1:+,2:~];
	 R_MIXED_CHARSET(0.83)[subject];
	 ASN(0.00)[asn:20473, ipnet:108.61.164.0/22, country:US];
	 RCVD_COUNT_TWO(0.00)[2];
	 RCVD_TLS_ALL(0.00)[]
X-ThisMailContainsUnwantedMimeParts: N


--ktxz2p3hn3ydn2nh
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

To answer my own question, prefix for bridge interface on host and epair
interface in jail were different, so PF didn't pick packets generated
inside jail.

Sorry for the noise, I've been looking at this for few days and I'm
obviously tired.

Regards,
meka

--ktxz2p3hn3ydn2nh
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAmIBYIQACgkQWj1Tknov
rLa5DQ//R/YIVqr8DE/BZcffVzDygyBTObTFA70pYV7x0Gz7rSu7nGiRkSIWLGAo
K3HwZo72OaJq4RYW+fYYgFEPod8sp2FA76QUIVC6/8laddRSvOwJNKBD52a82TnA
DC8UgSS0dl9EApXgaGxHdnV0Vg5TqVAYIew7HCF2ATsdbRZx4FUOjNkUNw0z1Pzr
E0SZwRDz27LjNaUCR3E0OZkJqwG7GkCwdfUqeaO2gFEyMbMrhlPb3bzeBr0BXqjG
cqWnKLm+MFJqhCmSPt4gO+mtqxB+LrmU5ed54P9DWebvmplcQ1EfKE4sBtCX1SdM
pr6SwVMk/7CUhEAjHdZgmPHJxGAgzoEOvrAlf0MmMiFTupGDVUxHjde+tERBVd8Z
nfcdP55coSVwJwdtiHSMXR01Bmxqw8V6CHa9qqCRqmfynA4GHgLP78toYFIj8YbH
Ap+kHTKPBiHjvdFT2AyRM/QakuGgYKn0eayYUXliVIXNvWCGGE1hWjlAd54Kd0eO
Rz/yRNfJNcFjSaTbmK6frX4IOUnffMRDHI5k4TTHBHX4gqOT79JrVGtjZflrP9N8
9K4tqE2Z/ezBYaPL6/RK5w7mWXs8AtqpI2HJtph+tvj4P7qtPhrSmjHHmOyUJ13F
TM34JqGisDwwkqQQqkxjYBcwIKiJyIaV5xA6xVWaD/MwytHTNoo=
=Fr9N
-----END PGP SIGNATURE-----

--ktxz2p3hn3ydn2nh--