Date: Wed, 17 Jan 2018 21:25:18 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 193568] PF rdr rule with ipv6 does not work Message-ID: <bug-193568-17777-yhq9sv4GGK@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-193568-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-193568-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568 Alan Somers <asomers@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |asomers@FreeBSD.org Status|New |Open --- Comment #2 from Alan Somers <asomers@FreeBSD.org> --- This is NOT a duplicate of 179392. It has nothing to do with checksums. In fact, it technically isn't a bug at all. The problem is that you're asking PF to do something that's illegal in IPv6. IPv6 addresses have the concept of "scopes". A scope is the domain in which a particular address is valid. Localhost (::1) has local scope, link-local addresses (fe80:*) have link-local scope, site-local addresses (fec0:*) have site-local scope, and global addresses (everythign else) have global scope. Since ::1 only has local scope, it's only valid for traffic that originates and ends on the local machine. For that reason, it is specifically forbidden to assign ::1 to a real network interface. Your PF rule redirects a packet to ::1, but doesn't change the receiving interface. Thus, it violates scoping rules. You can tell by running 'netstat -s -f inet6 | grep "violated scope"' before and after generating the traffic that you want to redirect. The check is in in6_setscope(). The simple workaround is to change your rdr rule to redirect to your actual link-local, site-local, or global IPv6 address instead of ::1. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-193568-17777-yhq9sv4GGK>