Stiil a regression with jails/IPv6/pf?

[Ruben van Staveren]

Hi,

On 31 Aug 2013, at 21:49, Tim Bishop <tim at bishnet.net> wrote:

> Hi all,
> 
> This is regarding kern/170070 and these two threads from last year:
> 
> http://lists.freebsd.org/pipermail/freebsd-stable/2012-July/068987.html
> http://lists.freebsd.org/pipermail/freebsd-stable/2012-August/069043.html
> 
> I'm running stable/9 r255017 and I'm seeing the same issue, even with
> the fix Bjoern committed in r238876.

This is still with "modulate state" in some rules that also hit ipv6 traffic ?

It almost looks like doing this kind of traffic alteration is considered harmful for IPv6
http://forums.freebsd.org/showthread.php?t=36595

If that is the case, then this should be applicable only to ipv4 traffic, without requiring specific knowledge from the user


> 
> My setup is a dual stack one (IPv6 is done through an IPv4 tunnel) and
> the problem is only with IPv6. I have jails with both IPv4 and IPv6
> addresses, and I use pf to rdr certain ports to certain jails. With IPv6
> I'm seeing failed checksums on the packets coming back out of my system,
> both with UDP and TCP.
> 
> If I connect over IPv6 to the jail host it works fine. If I connect over
> IPv6 to a jail directly (they have routable addresses, but I prefer them
> to all be masked behind the single jail host normally), it works fine.
> So the only failure case is when it goes through a rdr rule in pf.
> 
> This system replaces a previous one running stable/8 which worked fine
> with the same pf config file.
> 
> Has anyone got any suggestions on what I can do to fix this or to debug
> it further?
> 
> Thanks,
> 
> Tim.
> 
> -- 
> Tim Bishop
> http://www.bishnet.net/tim/
> PGP Key: 0x6C226B37FDF38D55
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20130902/863d5f4e/attachment.sig>