Date: Sat, 29 Dec 2012 05:54:41 -0600 From: CyberLeo Kitsana <cyberleo@cyberleo.net> To: Michael Grimm <trashcan@odo.in-berlin.de> Cc: freebsd-pf@freebsd.org Subject: Re: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out Message-ID: <50DEDA01.4060103@cyberleo.net> In-Reply-To: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de> References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/28/2012 05:59 AM, Michael Grimm wrote: > Hi -- > > I do run both my primary and secondary nameservers (distinct servers) in FreeBSD jails1 and jail2 as outlined below: <snip> > I do see using tcpdump at server1: > > | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S], > cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 9.1's PF appears to be either corrupting or not updating the packet checksum when it touches IPv6 packets. I was not able to figure out how or why in my brief perusal of the source, but it seems to affect more than just NAT66. http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Invalid-Checksum-td5769669.html -- Fuzzy love, -CyberLeo Furry Peace! - http://www.fur.com/peace/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50DEDA01.4060103>