From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 12:07:51 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 86044ACB
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:07:51 +0000 (UTC)
 (envelope-from kpaasial@gmail.com)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com
 [209.85.212.179])
 by mx1.freebsd.org (Postfix) with ESMTP id 0CAA28FC08
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:07:50 +0000 (UTC)
Received: by mail-wi0-f179.google.com with SMTP id o1so6316616wic.6
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 04:07:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=iSZV3S2uErmHxLTzcaxySyYt9AhGkTAsbTl4LMUi3bo=;
 b=UFO6nGmHvkAzZfGjduQARryRdkqk7kyoADpuqG810Pe1B0hEEPmAPe9iQSofTD8ZZv
 M6RK4szLczmqKrXXgh/Qfm58j94jQzEZwcRBk1AOwEtmh6NyF+vW1aFHCBHe35/w50bC
 c4QupKitUmmrw19S3ixnswVf+yTP64JR5qxbZgellck/ly6gsMHoYZqiEdC206lzGfwx
 YeUDe7rAJWFz6V1FcJO7oSdFyJwSw2Y2g7CcN7upBMYC4VF5mP4y/bZe1qRKthEa2GPN
 00ZN+rzFtjltWtmqEXrlPOpdUqLf3/3qOXFKlnXEkzcO1GZoRtDyO22RA0UFeBBLOHHo
 2+Pg==
MIME-Version: 1.0
Received: by 10.194.23.37 with SMTP id j5mr57487921wjf.28.1356782869743; Sat,
 29 Dec 2012 04:07:49 -0800 (PST)
Received: by 10.216.172.197 with HTTP; Sat, 29 Dec 2012 04:07:49 -0800 (PST)
In-Reply-To: <50DEDA01.4060103@cyberleo.net>
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
 <50DEDA01.4060103@cyberleo.net>
Date: Sat, 29 Dec 2012 14:07:49 +0200
Message-ID: <CA+7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh+cZcNtQ@mail.gmail.com>
Subject: Re: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed
 out
From: Kimmo Paasiala <kpaasial@gmail.com>
To: CyberLeo Kitsana <cyberleo@cyberleo.net>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 12:07:51 -0000

On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana <cyberleo@cyberleo.net> wrote:
> On 12/28/2012 05:59 AM, Michael Grimm wrote:
>> Hi --
>>
>> I do run both my primary and secondary nameservers (distinct servers) in FreeBSD jails1 and jail2 as outlined below:
> <snip>
>> I do see using tcpdump at server1:
>>
>> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S],
>> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 9.1's PF appears to be either corrupting or not updating the packet
> checksum when it touches IPv6 packets. I was not able to figure out how
> or why in my brief perusal of the source, but it seems to affect more
> than just NAT66.
>
> http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Invalid-Checksum-td5769669.html
>
> --
> Fuzzy love,
> -CyberLeo
> Furry Peace! - http://www.fur.com/peace/

Afaik any kind of NAT on IPv6 is broken with pf(4) at the moment.

-Kimmo