Date: Wed, 1 Aug 2012 17:13:29 +0000 (UTC) From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: FreeBSD Stable List <freebsd-stable@freebsd.org>, freebsd-pf@FreeBSD.org Subject: Re: Regression with jails/IPv6/pf Message-ID: <alpine.BSF.2.00.1208011710130.4474@ai.fobar.qr> In-Reply-To: <5011902C.1070600@infracaninophile.co.uk> References: <5011902C.1070600@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Jul 2012, Matthew Seaman wrote: Hi, as there have been more people having problems with pf and IPv6 after the changes I am replying to stable@ cc: pf@. ... > [...] > > nat on $ext_if_plus from $xenophobe_int to any -> $xenophobe_ext > rdr inet6 proto tcp from <localnets> to $xenophobe_ext \ > port { 22, 80, 443, 548, 4700 } -> $xenophobe_int > > When trying to ssh into the jail with a kernel exhibiting this problem, > tcpdump showed that traffic was reaching the sshd in the jail and > responses were being generated, but they didn't make it out onto the net. Any of you who are expereincing problems with packets dropped due to invalid checksums with IPv6 and pf after the recent merges, can you report back if you also see this without "modulate state" in your pf.conf (if you have 'modulate' in there, can you try changing it to 'keep' and see if that fixes the problem)? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1208011710130.4474>