Date: Mon, 2 Sep 2013 20:33:52 +0100 From: Tim Bishop <tim@bishnet.net> To: Ruben van Staveren <ruben@verweg.com> Cc: bz@FreeBSD.org, freebsd-stable@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: Stiil a regression with jails/IPv6/pf? Message-ID: <20130902193352.GA18004@carrick-users.bishnet.net> In-Reply-To: <8A6CE540-7AF3-4472-B0CC-A222036557C0@verweg.com> References: <20130831194951.GC44979@carrick-users.bishnet.net> <8A6CE540-7AF3-4472-B0CC-A222036557C0@verweg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--k1lZvvs/B4yU6o8G Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Mon, Sep 02, 2013 at 12:22:11PM +0200, Ruben van Staveren wrote: > On 31 Aug 2013, at 21:49, Tim Bishop <tim@bishnet.net> wrote: > > This is regarding kern/170070 and these two threads from last year: > >=20 > > http://lists.freebsd.org/pipermail/freebsd-stable/2012-July/068987.html > > http://lists.freebsd.org/pipermail/freebsd-stable/2012-August/069043.ht= ml > >=20 > > I'm running stable/9 r255017 and I'm seeing the same issue, even with > > the fix Bjoern committed in r238876. >=20 > This is still with "modulate state" in some rules that also hit ipv6 > traffic ? No, I'm not using "modulate state". Only "keep state". > It almost looks like doing this kind of traffic alteration is > considered harmful for IPv6 > http://forums.freebsd.org/showthread.php?t=3D36595 So it doesn't look like that's the same problem. It's certainly similar (IPv6 and pf), but doesn't involve the rdr rule or jails. IPv6 is otherwise working fine through pf. Tim. > If that is the case, then this should be applicable only to ipv4 > traffic, without requiring specific knowledge from the user >=20 > >=20 > > My setup is a dual stack one (IPv6 is done through an IPv4 tunnel) and > > the problem is only with IPv6. I have jails with both IPv4 and IPv6 > > addresses, and I use pf to rdr certain ports to certain jails. With IPv6 > > I'm seeing failed checksums on the packets coming back out of my system, > > both with UDP and TCP. > >=20 > > If I connect over IPv6 to the jail host it works fine. If I connect over > > IPv6 to a jail directly (they have routable addresses, but I prefer them > > to all be masked behind the single jail host normally), it works fine. > > So the only failure case is when it goes through a rdr rule in pf. > >=20 > > This system replaces a previous one running stable/8 which worked fine > > with the same pf config file. > >=20 > > Has anyone got any suggestions on what I can do to fix this or to debug > > it further? > >=20 > > Thanks, > >=20 > > Tim. --=20 Tim Bishop http://www.bishnet.net/tim/ PGP Key: 0x6C226B37FDF38D55 --k1lZvvs/B4yU6o8G Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (FreeBSD) iQIcBAEBCgAGBQJSJOggAAoJEGwiazf9841VvDIP/1MkJBNLCOAIqoXZQugIhayb RsUXlRryDBnRwkgtlaoO4gjs4LCFCy2ZptIQ1WPtHWK4pkpZ9tlf427R+c5LFaXD YVD3InkzhN83o+YZFoLIhbdjxVirVAC0aTPnnDX/z1vnossk5KBa/yA36ApEeMGK xxWuam70WtD6WgNOAqXe9RDKH3C5jvZhhqt7HwUFLyCPt0ZTK5easlcHf6u6cd9q 22aTwl0NqCvJdPz5j5GbCQjyfIB68Zt4prtTSv9lgEzoFXb9YZ3r3xLrmTmt16mi LtXH2ZC83uLMhZ0YuKuqj1I0FJ/ADKogEobW7Se3qlgR5VFS8hBeS6ywuYdyoYWP Zv9fb/ZDgB02GYY1gmBxz4AIQ39SIJop5vRY0wAVwfbZNtughhN7swiKWNo/+FuQ TontRkcodO6ZDU0GzoEHs3SqOi7ySQfeGNtvG/bZTjWGYdaHxpCBlKz/8FHNFN9Y oxuFL83ENbCa38L3arr+ca9ClkUg+TjVMVLzelxhrnGGx8JbYj9C+2fKo99Xxcpa sdCxVCkQu9/MIB00kLYT4sX09sotC6IKTeB+mzi9pUZCW6zKNKGxvK36iQcrELZy gqO5clAUnI5Y4tC9uE65czsUp1JbsHOift8xeH1ll1OucqjzsVBTdBg8w4psxiWL wg1YCWhPZqpGWgc0o4oS =o6Y7 -----END PGP SIGNATURE----- --k1lZvvs/B4yU6o8G--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130902193352.GA18004>