Date: Sat, 29 Dec 2012 15:31:03 +0100 From: Michael Grimm <trashcan@odo.in-berlin.de> To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: [SOLVED]: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out Message-ID: <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de> In-Reply-To: <CA%2B7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh%2BcZcNtQ@mail.gmail.com> References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de> <50DEDA01.4060103@cyberleo.net> <CA%2B7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh%2BcZcNtQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi -- On 29.12.2012, at 13:07, Kimmo Paasiala <kpaasial@gmail.com> wrote: > On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana = <cyberleo@cyberleo.net> wrote: >> On 12/28/2012 05:59 AM, Michael Grimm wrote: >>> I do run both my primary and secondary nameservers (distinct = servers) in FreeBSD jails1 and jail2 as outlined below: >> <snip> >>> I do see using tcpdump at server1: >>>=20 >>> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 = (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) = payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S], >>> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, = options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0 >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> 9.1's PF appears to be either corrupting or not updating the packet >> checksum when it touches IPv6 packets. I was not able to figure out = how >> or why in my brief perusal of the source, but it seems to affect more >> than just NAT66. >>=20 >> = http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Inva= lid-Checksum-td5769669.html >=20 > Afaik any kind of NAT on IPv6 is broken with pf(4) at the moment. >=20 I've been told to change my outgoing rule from ... | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate = state ... to ... | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all ... and that did the trick! No more checksum and timeout errors. Now it = works as expected. Just for me to learn: What change in code from 9.0 to 9.1 made that = first rule break? I used that rule since 7.0, IIRC. And one last question: I do have "modulate state" for the corresponding = IPv4 rule as well. Should I modify that as well? Sorry for that dumb = question, but I don't know pf good enough to judge myself. Thanks for your help, and with kind regards, Michael=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8>