PF: matching gif(4) encapsulated IPv6

[Kimmo Paasiala]

On Thu, Sep 6, 2012 at 2:13 AM, Kimmo Paasiala <kpaasial at gmail.com> wrote:
> Hello,
>
> I'd like to prioritize gif(4) encapsulated IPv6 over other IPv4
> traffic on an interface. I have queues set up and the shaping works
> for other types of IPv4 traffic but for some reason I can't find a way
> to match outgoing protocol 41 (ipv6) on the interface. My rule is
> simply:
>
> pass out log quick on $WAN proto ipv6 from <myendpoint> to
> <remoteendpoint>  queue(qWAN_proto41)
>
> The rule should match but gets no hits. What is really puzzling is
> that pfctl -v -ss shows a state:
>
> all ipv6 <myendpoint> -> <remoteendpoint>       MULTIPLE:MULTIPLE
>    age 28:01:28, expires in 00:00:59, 198282:210890 pkts,
> 31007357:140434503 bytes
>
> What creates this state if it's not my rule?
>
> System details: 9-STABLE r239722 amd64. Pf(4) compiled with altq(4)
> and loaded as modules.
>
> ifconfig gif0 shows:
>
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
>         tunnel inet <myendpoint> --> <remoteendpoint>
>         inet6 fe80::6ef0:49ff:fed3:b400%gif0 prefixlen 64 scopeid 0x6
>         inet6 <tunnelipv6local> --> <tunnelipv6remote> prefixlen 128
>         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>         options=1<ACCEPT_REV_ETHIP_VER
>
> ifconfig em0 (WAN):
>
> em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric
> 0 mtu 1500
>         options=209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC>
>         ether 00:1b:21:14:ca:5e
>         inet6 fe80::21b:21ff:fe14:ca5e%em0 prefixlen 64 scopeid 0x2
>         inet <myendpoint> netmask 0xfffff000 broadcast aa.bb.cc.dd
>         nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>         media: Ethernet autoselect (1000baseT <full-duplex>)
>         status: active

This was probably a failure to properly reset states after changing
configuration. After a 'service pf restart' the rule works. Sorry for
the noise.

-Kimmo