From owner-freebsd-pf@FreeBSD.ORG Mon Mar 18 20:33:45 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 7EA68AA2 for ; Mon, 18 Mar 2013 20:33:45 +0000 (UTC) (envelope-from ilavsky.martin@gmail.com) Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by mx1.freebsd.org (Postfix) with ESMTP id 2595E902 for ; Mon, 18 Mar 2013 20:33:45 +0000 (UTC) Received: by mail-wi0-f175.google.com with SMTP id l13so3166747wie.14 for ; Mon, 18 Mar 2013 13:33:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=iDFFR4w0RBepb+8GLu2bInCbXgfkNBAeBz28ADH6SRc=; b=DO+VqVNH3OmIS3znXonLRVY3EtYLT/9NH6n9B5HyxmB+lRwdihWQb10P0UdrrcMErA 5S0htGZ/I/m56yDQcXA0R4OOIhvQr6f0kh4csUokLnmX55x/1dUtjtF9JXdkGSMrJCoR i60nHwCD7qaURonhTL2KmPh5RQ/FQ1d967wE/fyoRBLbWcboDdeC9GyWprqvSCq3+2Ob tRfm+8rarS4H5HqY+zceVAGaiwVBax/W2afAz8TPhGGm/8rJ4XW70iJuF3nu2Qptf5oC 25gs/g7j5llM1ZI8e/DL6qdwuS3oMvL1P5d/MRNuEpGwZeD2u0dZfQP7OMtSMmXFuviV arPg== MIME-Version: 1.0 X-Received: by 10.194.88.138 with SMTP id bg10mr28011461wjb.13.1363638824436; Mon, 18 Mar 2013 13:33:44 -0700 (PDT) Received: by 10.194.76.71 with HTTP; Mon, 18 Mar 2013 13:33:44 -0700 (PDT) Date: Mon, 18 Mar 2013 21:33:44 +0100 Message-ID: Subject: Regression with jails/IPv6/pf From: martin i To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Mar 2013 20:33:45 -0000 > On 01/08/2012 18:13, Bjoern A. Zeeb wrote: > >> Any of you who are expereincing problems with packets dropped due to >> invalid checksums with IPv6 and pf after the recent merges, can you >> report back if you also see this without "modulate state" in your >> pf.conf (if you have 'modulate' in there, can you try changing it to >> 'keep' and see if that fixes the problem)? > > Alas, I was already using 'keep state'. I did just try 'modulate > state,' just on the off-chance but it makes no difference. Hi, I think I've the similar problem described in this thread, though I don't see any discards (no issues with tcpdump at least). My setup is amd64 9.1-RELEASE r245315. I posted my problem on FreeBSD forums too: http://forums.freebsd.org/showthread.php?t=38448 I've webserver in jail with private IPv4 and public IPv6 address. Jail IPs are assigned to custom loopback interfaces and ports 80,443 are redirected by PF to proper destination. My configuration was posted in thread mentioned above. Webserver is not reachable from outside, though PF shows traffic being correctly redirected to jail's IPs. This setup was working on 9.0-RELEASE. I verified this on home-lab setup. Martin -- ..life is hard, and then you die..