From owner-freebsd-pf@FreeBSD.ORG Tue Apr 6 18:25:46 2010 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CAFCB106564A for ; Tue, 6 Apr 2010 18:25:46 +0000 (UTC) (envelope-from xi@borderworlds.dk) Received: from kazon.borderworlds.dk (kazon.borderworlds.dk [78.46.20.58]) by mx1.freebsd.org (Postfix) with ESMTP id 4A2DC8FC13 for ; Tue, 6 Apr 2010 18:25:46 +0000 (UTC) Received: from talaxian.borderworlds.dk (localhost [127.0.0.1]) by kazon.borderworlds.dk (Postfix) with ESMTP id B4DCB5C1A for ; Tue, 6 Apr 2010 20:12:58 +0200 (CEST) Message-ID: <4BBB79AA.7040600@borderworlds.dk> Date: Tue, 06 Apr 2010 20:12:58 +0200 From: Christian Laursen Organization: The Border Worlds User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.9) Gecko/20100406 Thunderbird/3.0.4 MIME-Version: 1.0 To: freebsd-pf@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: "(self)" not always mathing all local IPv6 addresses X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Apr 2010 18:25:46 -0000 Hello, I have tripped over what I believe is a bug in pf. On my test machine I have this fairly simple ruleset: =============================================== set block-policy return set skip on lo0 block in all pass out proto { tcp, udp } all keep state pass in proto {icmp,icmp6} all pass out proto {icmp,icmp6} all pass in proto tcp from any to (self) port 22 =============================================== After booting the machine ifconfig for em0 looks like this: em0: flags=8843 metric 0 mtu 1500 options=9b ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf nd6 options=23 media: Ethernet autoselect (1000baseT ) status: active The problem is that when I try to ssh to the machine the connection is not allowed through: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection refused I have tried various things when I tried to figure out what is going on here. In this case it helps to add another IPv6 address to em0: ifconfig em0 inet6 2001:6c8:6:6::2 em0: flags=8843 metric 0 mtu 1500 options=9b ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf inet6 2001:6c8:6:6::2 prefixlen 64 nd6 options=23 media: Ethernet autoselect (1000baseT ) status: active After doing this, ssh works: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 Last login: Tue Apr 6 21:56:48 2010 from 10.1.0.2 I have observed this problem on 7.3, 8.0 and -CURRENT less than a week old. I can mention that changing "(self)" to "self" in the ruleset works as expected and the problem returns when changing it back. When I see this behaviour, it can also be "fixed" by adding another interface, eg. "ifconfig gif0 create". I hope that this makes sense and that someone more familiar with the inner workings of pf is able to reproduce it. I like using "(self)" but when it doesn't work reliably I'm forced to resort to workarounds. If I need to provide more info, I'll be happy to do so. Thanks in advance. -- Christian Laursen