IPv6, PF problem

[Max Laier]

On Saturday 12 December 2009 22:11:28 Aaron Stellman wrote:
> Hello there,
> 
> > What does "pfctl -vvsr" give you for the rule?  It should include the
> > number of addresses assigned to the interface in the braces - e.g. "... 
> > (bge0:4) ..."
> 
> @8 pass in on bge0 proto tcp from any to (bge0:4) port = ftp flags S/SA
>  keep state [ Evaluations: 0         Packets: 0         Bytes: 0          
>  States: 0     ] [ Inserted: uid 0 pid 79900 ]
> 
> > In addition, can you try to add separate rules for inet and inet6 - i.e.
> >
> > pass in on $ext_if inet  proto tcp to ($ext_if) port 21
> > pass in on $ext_if inet6 proto tcp to ($ext_if) port 21
> 
> @8 pass in on bge0 inet proto tcp from any to (bge0:2) port = ftp flags
>  S/SA keep state [ Evaluations: 1         Packets: 17        Bytes: 916    
>      States: 1     ] [ Inserted: uid 0 pid 80198 ]
> @9 pass in on bge0 inet6 proto tcp from any to (bge0:2) port = ftp flags
>  S/SA keep state [ Evaluations: 1         Packets: 0         Bytes: 0      
>      States: 0     ] [ Inserted: uid 0 pid 80198 ]
> 
> and it passes inet6 connection with these two rules. Do you consider it
> a bug? This essentially forces me to have 2 separate rules for inet and
> inet6.

I do consider it a bug, but I can't reproduce it here.  Can you think of 
anything in your setup that might be special - e.g. the way you add the 
addresses to your interface?  Are you certain that you were testing with the 
right rules in place (your output above shows zero rule evaluations) which is 
a sign that something else went wrong.

Can anyone else reproduce this problem or did you see something similar?

Regards,

--
 Max