From owner-freebsd-pf@FreeBSD.ORG Wed Aug 1 17:13:34 2012 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4D8A21065670; Wed, 1 Aug 2012 17:13:34 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mx1.sbone.de (bird.sbone.de [46.4.1.90]) by mx1.freebsd.org (Postfix) with ESMTP id F080D8FC0A; Wed, 1 Aug 2012 17:13:33 +0000 (UTC) Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:31::2013:587]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.sbone.de (Postfix) with ESMTPS id 76B6E25D3878; Wed, 1 Aug 2012 17:13:32 +0000 (UTC) Received: from content-filter.sbone.de (content-filter.sbone.de [IPv6:fde9:577b:c1a9:31::2013:2742]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPS id 8FC52BE85AF; Wed, 1 Aug 2012 17:13:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at sbone.de Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:31::2013:587]) by content-filter.sbone.de (content-filter.sbone.de [fde9:577b:c1a9:31::2013:2742]) (amavisd-new, port 10024) with ESMTP id SimjxMvavRzK; Wed, 1 Aug 2012 17:13:30 +0000 (UTC) Received: from nv.sbone.de (nv.sbone.de [IPv6:fde9:577b:c1a9:31::2013:138]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.sbone.de (Postfix) with ESMTPSA id 4149BBE8582; Wed, 1 Aug 2012 17:13:30 +0000 (UTC) Date: Wed, 1 Aug 2012 17:13:29 +0000 (UTC) From: "Bjoern A. Zeeb" To: Matthew Seaman In-Reply-To: <5011902C.1070600@infracaninophile.co.uk> Message-ID: References: <5011902C.1070600@infracaninophile.co.uk> X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII Cc: FreeBSD Stable List , freebsd-pf@FreeBSD.org Subject: Re: Regression with jails/IPv6/pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 17:13:34 -0000 On Thu, 26 Jul 2012, Matthew Seaman wrote: Hi, as there have been more people having problems with pf and IPv6 after the changes I am replying to stable@ cc: pf@. ... > [...] > > nat on $ext_if_plus from $xenophobe_int to any -> $xenophobe_ext > rdr inet6 proto tcp from to $xenophobe_ext \ > port { 22, 80, 443, 548, 4700 } -> $xenophobe_int > > When trying to ssh into the jail with a kernel exhibiting this problem, > tcpdump showed that traffic was reaching the sshd in the jail and > responses were being generated, but they didn't make it out onto the net. Any of you who are expereincing problems with packets dropped due to invalid checksums with IPv6 and pf after the recent merges, can you report back if you also see this without "modulate state" in your pf.conf (if you have 'modulate' in there, can you try changing it to 'keep' and see if that fixes the problem)? /bz -- Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.