[Bug 193568] PF rdr rule with ipv6 does not work
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jan 17 21:25:18 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568
Alan Somers <asomers at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |asomers at FreeBSD.org
Status|New |Open
--- Comment #2 from Alan Somers <asomers at FreeBSD.org> ---
This is NOT a duplicate of 179392. It has nothing to do with checksums. In
fact, it technically isn't a bug at all. The problem is that you're asking PF
to do something that's illegal in IPv6.
IPv6 addresses have the concept of "scopes". A scope is the domain in which a
particular address is valid. Localhost (::1) has local scope, link-local
addresses (fe80:*) have link-local scope, site-local addresses (fec0:*) have
site-local scope, and global addresses (everythign else) have global scope.
Since ::1 only has local scope, it's only valid for traffic that originates and
ends on the local machine. For that reason, it is specifically forbidden to
assign ::1 to a real network interface.
Your PF rule redirects a packet to ::1, but doesn't change the receiving
interface. Thus, it violates scoping rules. You can tell by running 'netstat
-s -f inet6 | grep "violated scope"' before and after generating the traffic
that you want to redirect. The check is in in6_setscope().
The simple workaround is to change your rdr rule to redirect to your actual
link-local, site-local, or global IPv6 address instead of ::1.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-pf
mailing list