From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 12 01:25:11 2009
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6E6EB106566B
	for <freebsd-pf@freebsd.org>; Sat, 12 Dec 2009 01:25:11 +0000 (UTC)
	(envelope-from zion@x96.org)
Received: from x96.org (astellm-1-pt.tunnel.tserv9.chi1.ipv6.he.net
	[IPv6:2001:470:1f10:754::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 4EFEC8FC16
	for <freebsd-pf@freebsd.org>; Sat, 12 Dec 2009 01:25:11 +0000 (UTC)
Received: from x96.org (unknown [10.10.10.2])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by x96.org (Postfix) with ESMTPSA id 780EE4C240
	for <freebsd-pf@freebsd.org>; Fri, 11 Dec 2009 17:25:10 -0800 (PST)
Date: Fri, 11 Dec 2009 17:25:08 -0800
From: Aaron Stellman <zion@x96.org>
To: freebsd-pf@freebsd.org
Message-ID: <20091212012507.GD27716@x96.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: IPv6, PF problem
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2009 01:25:11 -0000

Hello there,
Here is the problem I've encountered on a dual stack amd64 FreeBSD 8.0p1
machine.

What works:
pass in on $ext_if proto tcp to           port 21

What doesn't work:
pass in on $ext_if proto tcp to ($ext_if) port 21

here is what's logged when it doesn't work:
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size
1515 bytes
00:00:00.000000 rule 0/0(match): block in on bge0:
2001:1938:235:beef:21b:21ff:fe37:d799.11220 >
2001:1938:235:dead:226:b9ff:fe75:6e5e.21: Flags [S], seq 413041093, win
65535, options [mss 1440,nop,nop,sackOK,nop,wscale 1,nop,nop,TS val
3435338387 ecr 0], length 0

ext_if="bge0"

epsilon# ifconfig -a
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 00:26:b9:75:6e:5e
        inet 10.10.11.5 netmask 0xffffffe0 broadcast 10.10.11.31
        inet6 fe80::226:b9ff:fe75:6e5e%bge0 prefixlen 64 scopeid 0x1 
        inet 10.10.11.8 netmask 0xffffffe0 broadcast 10.10.11.31
        inet6 2001:1938:235:dead:226:b9ff:fe75:6e5e prefixlen 64
autoconf 
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000 
        inet6 ::1 prefixlen 128 
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2 
pflog0: flags=0<> metric 0 mtu 33152


Notice, that it works as expected with IPv4; meaning that when I use "to
($ext_if)" and use ipv4 to connect, connection passes through, unlike
IPv6.
Also, OpenBSD pf works as expected with both IPv{4,6}