From nobody Sat Feb 18 15:42:58 2023 X-Original-To: freebsd-current@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PJtJ80VRlz3sf53; Sat, 18 Feb 2023 15:43:36 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Received: from smtp052.goneo.de (smtp052.goneo.de [85.220.129.60]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4PJtJ65522z3tgJ; Sat, 18 Feb 2023 15:43:34 +0000 (UTC) (envelope-from freebsd@walstatt-de.de) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=walstatt-de.de header.s=DKIM001 header.b=WMAdtaKc; spf=none (mx1.freebsd.org: domain of freebsd@walstatt-de.de has no SPF policy when checking 85.220.129.60) smtp.mailfrom=freebsd@walstatt-de.de; dmarc=none Received: from hub1.goneo.de (hub1.goneo.de [IPv6:2001:1640:5::8:52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by smtp5.goneo.de (Postfix) with ESMTPS id CD18810A32CA; Sat, 18 Feb 2023 16:43:27 +0100 (CET) Received: from hub1.goneo.de (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPS id 3D11B10A32F4; Sat, 18 Feb 2023 16:43:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=walstatt-de.de; s=DKIM001; t=1676735006; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=mkG+EllY6DXIX7i2/JW+zJat3GW/s88d9FPNR8SVHJs=; b=WMAdtaKcKqGM44cbPqEJCnY7eVNMayPxLoADMTFLX2ZOzDPytifNt8HmcnZUKAbsDK1AoQ 7l2cJ2iq0tNEAZyLe08C6i5QVXL+yvK6CSl8AIHiGMBb03G6jZknxaodvOi87ioNCOXsPg g4q8RUpLf/IPf/MzGn4FuGwWSp8S4o1ho5tLMMTmWhmaQSrIVWcK92HJXAEXguD4ya4xj6 pbhid3srgqaxv2Zb3codCzrJ1NU2AE9ZTeGtFbijMVvnZlXPhRH4ZI+HV/lu+QOHb7rTBv 5b108RegdfwpT7IyICM3CCXvA0/tDJ+VPrJwD490/ObPh2COJiRjFhBKxMshVw== Received: from thor.intern.walstatt.dynvpn.de (dynamic-077-013-009-084.77.13.pool.telefonica.de [77.13.9.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by hub1.goneo.de (Postfix) with ESMTPSA id 04EB310A3312; Sat, 18 Feb 2023 16:43:25 +0100 (CET) Date: Sat, 18 Feb 2023 16:42:58 +0100 From: FreeBSD User To: freebsd-net@freebsd.org, FreeBSD CURRENT Subject: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW Message-ID: <20230218164325.3a4c626a@thor.intern.walstatt.dynvpn.de> Organization: walstatt-de.de List-Id: Discussions about the use of FreeBSD-current List-Archive: https://lists.freebsd.org/archives/freebsd-current List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-current@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Rspamd-UID: 093842 X-Rspamd-UID: 4348e2 X-Spamd-Result: default: False [-3.30 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[walstatt-de.de:s=DKIM001]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; MLMMJ_DEST(0.00)[freebsd-current@freebsd.org,freebsd-net@freebsd.org]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MIME_TRACE(0.00)[0:+]; DKIM_TRACE(0.00)[walstatt-de.de:+]; HAS_ORG_HEADER(0.00)[]; ASN(0.00)[asn:25394, ipnet:85.220.128.0/17, country:DE]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[4]; TO_DN_SOME(0.00)[]; DMARC_NA(0.00)[walstatt-de.de]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4PJtJ65522z3tgJ X-Spamd-Bar: --- X-ThisMailContainsUnwantedMimeParts: N Hello, running a small nanoBSD firewall/router appliance, the WAN interface (tun0) is confugred via SLAAC when it comes to IPv6. The allpliance is running in-kernel compiled IPFW. The OS is FreeBSD 13-STABLE, compiled on a recuurant weekly basis. On a 24 hour basis, the ISP changes the IPv4 and IPv6 on the WAN interface. We use NPTv6 to translate ULA addresses for the inner IPv6 networks. We use IPv6 privacy on the tun0 interface. The router/firewall is operating after a reboot or restart of mpd5 correctly, IPv6 and IPv4 networks have conection to the internet. When the ISP rotates it IPs, the IPv6 address is configured using SLAAC and mpd5 seems to act weird: - the IPv4 address is always set correct, IPFW and in-kernel NAT route/filter traffic correctly - sometimes old IPv6 address is dumped and only a new IPv6 address - in such a case, the old IPv6 is gone, the new pair (temporary and MACified address are the only IPv6 addresses attached to the interface. - sometimes the old IPv6 address set (= temporary) are marked "deprecated" and/or "detached" and a new set is attached to the interface tun0, in some rare occassion also an IPv6 address WITHOUT its "temoprary" sibbling is attached. In any of the cases above, IPFW's NPTv6 gets confused, routing isn't working properly anymore. In any cases of a change of the IPv6 address, IPFW has to be restartet! In cases with marked deprecated and/or detached addresses, IPFW has to be restarted, AND the deprecated and/or detached IPv6 addresses has to be deleted manually. Otherwise - so it seems to me - NPTv6 takes the wrong (outdated) prefix. NPTv6 should not take any deprecated, detached prefix if a valid prefix is available. Even deleting the deprecated IPv6 requires a restart of IPFW. No matter how long I wait, NPTv6 never gets the changed prefix by itself. Kind regards, Oliver -- O. Hartmann