[Bug 193568] PF rdr rule with ipv6 does not work

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568

Alan Somers <asomers at FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |asomers at FreeBSD.org
             Status|New                         |Open

--- Comment #2 from Alan Somers <asomers at FreeBSD.org> ---
This is NOT a duplicate of 179392.  It has nothing to do with checksums.  In
fact, it technically isn't a bug at all.  The problem is that you're asking PF
to do something that's illegal in IPv6.

IPv6 addresses have the concept of "scopes".  A scope is the domain in which a
particular address is valid.  Localhost (::1) has local scope, link-local
addresses (fe80:*) have link-local scope, site-local addresses (fec0:*) have
site-local scope, and global addresses (everythign else) have global scope. 
Since ::1 only has local scope, it's only valid for traffic that originates and
ends on the local machine.  For that reason, it is specifically forbidden to
assign ::1 to a real network interface.

Your PF rule redirects a packet to ::1, but doesn't change the receiving
interface.  Thus, it violates scoping rules.  You can tell by running 'netstat
-s -f inet6 | grep "violated scope"' before and after generating the traffic
that you want to redirect.  The check is in in6_setscope().

The simple workaround is to change your rdr rule to redirect to your actual
link-local, site-local, or global IPv6 address instead of ::1.

-- 
You are receiving this mail because:
You are the assignee for the bug.