"(self)" not always mathing all local IPv6 addresses

Christian Laursen xi at borderworlds.dk
Tue Apr 6 18:25:46 UTC 2010 

Hello,

I have tripped over what I believe is a bug in pf.

On my test machine I have this fairly simple ruleset:
===============================================
set block-policy return
set skip on lo0

block in all

pass out proto { tcp, udp } all keep state

pass in proto {icmp,icmp6} all
pass out proto {icmp,icmp6} all

pass in proto tcp from any to (self) port 22
===============================================

After booting the machine ifconfig for em0 looks like this:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
         ether 08:00:27:73:96:a9
         inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
         inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
         inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
         nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active

The problem is that when I try to ssh to the machine the connection is 
not allowed through:
[xi at talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection 
refused

I have tried various things when I tried to figure out what is going on 
here. In this case it helps to add another IPv6 address to em0:

ifconfig em0 inet6 2001:6c8:6:6::2

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
         options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
         ether 08:00:27:73:96:a9
         inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
         inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
         inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
         inet6 2001:6c8:6:6::2 prefixlen 64
         nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
         media: Ethernet autoselect (1000baseT <full-duplex>)
         status: active

After doing this, ssh works:

[xi at talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
Last login: Tue Apr  6 21:56:48 2010 from 10.1.0.2

I have observed this problem on 7.3, 8.0 and -CURRENT less than a week old.

I can mention that changing "(self)" to "self" in the ruleset works as 
expected and the problem returns when changing it back.

When I see this behaviour, it can also be "fixed" by adding another 
interface, eg. "ifconfig gif0 create".

I hope that this makes sense and that someone more familiar with the 
inner workings of pf is able to reproduce it. I like using "(self)" but 
when it doesn't work reliably I'm forced to resort to workarounds.

If I need to provide more info, I'll be happy to do so.

Thanks in advance.

-- 
Christian Laursen

More information about the freebsd-pf mailing list