From owner-freebsd-pf@FreeBSD.ORG  Sun Jul  4 05:25:07 2010
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3DF09106566B
	for <freebsd-pf@freebsd.org>; Sun,  4 Jul 2010 05:25:07 +0000 (UTC)
	(envelope-from gofdp-freebsd-pf@m.gmane.org)
Received: from lo.gmane.org (lo.gmane.org [80.91.229.12])
	by mx1.freebsd.org (Postfix) with ESMTP id ED3258FC22
	for <freebsd-pf@freebsd.org>; Sun,  4 Jul 2010 05:25:06 +0000 (UTC)
Received: from list by lo.gmane.org with local (Exim 4.69)
	(envelope-from <gofdp-freebsd-pf@m.gmane.org>) id 1OVHhP-0002tF-T6
	for freebsd-pf@freebsd.org; Sun, 04 Jul 2010 07:25:04 +0200
Received: from static-78-8-147-77.ssp.dialog.net.pl ([78.8.147.77])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-pf@freebsd.org>; Sun, 04 Jul 2010 07:25:03 +0200
Received: from mwisnicki+freebsd by static-78-8-147-77.ssp.dialog.net.pl with
	local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-pf@freebsd.org>; Sun, 04 Jul 2010 07:25:03 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-pf@freebsd.org
From: Marcin Wisnicki <mwisnicki+freebsd@gmail.com>
Date: Sun, 4 Jul 2010 05:24:10 +0000 (UTC)
Lines: 36
Message-ID: <i0p5tq$val$1@dough.gmane.org>
References: <4C2F3B3D.70306@interactive-net.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: static-78-8-147-77.ssp.dialog.net.pl
User-Agent: Pan/0.132 (Waxed in Black)
Subject: Re: urpf-failed & ipv6
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jul 2010 05:25:07 -0000

On Sat, 03 Jul 2010 15:29:33 +0200, Reinhard Haller wrote:

> Hi,
> 
> I recently discovered a strange behavior on my border router. In the
> following ruleset:
> 
> block log all
> block in log quick from urpf-failed to any pass quick on $int_if inet6
> proto udp from any to any port ripng block drop on !$int_if inet6 proto
> udp from any to any port ripng
> 
> all occurrences of
> 
> fe80::<mac-address>%$int_if -> ff02::9
> 
> were blocked by the urpf-failed rule.
> 
> Any suggestuions why this happens?

Probably this change:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/pf.c#rev1.625
seems it's not yet merged to freebsd.

I'm using following as a temporary solution (adapted from rc.firewall):

block log all
anchor "ipv6-link-local" quick inet6 {
  pass proto icmp6 from :: to ff02::/16
  pass proto icmp6 from fe80::/10 to fe80::/10
  pass proto icmp6 from fe80::/10 to ff02::/16
  pass from fe80::/10 to ff02::/16
  pass from (self:network) to ff02::/16
  pass proto udp from fe80::/10 to (self) port dhcpv6-client
}
block in log quick from urpf-failed