From owner-freebsd-stable@FreeBSD.ORG  Fri Jul 10 12:32:08 2009
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 517FB106564A
	for <freebsd-stable@freebsd.org>; Fri, 10 Jul 2009 12:32:08 +0000 (UTC)
	(envelope-from hlh@restart.be)
Received: from tignes.restart.be (tignes.restart.be
	[IPv6:2001:41d0:2:2d29:0:1::])
	by mx1.freebsd.org (Postfix) with ESMTP id D60E08FC1A;
	Fri, 10 Jul 2009 12:32:07 +0000 (UTC) (envelope-from hlh@restart.be)
Received: from restart.be (avoriaz.tunnel.bel [IPv6:2001:41d0:2:2d29:1:ffff::])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "avoriaz.restart.be", Issuer "CA master" (verified OK))
	by tignes.restart.be (Postfix) with ESMTPS id 2E6D94D3C;
	Fri, 10 Jul 2009 14:32:07 +0200 (CEST)
Received: from morzine.restart.bel (morzine.restart.be
	[IPv6:2001:41d0:2:2d29:1:2::]) (authenticated bits=0)
	by restart.be (8.14.3/8.14.3) with ESMTP id n6ACW3pK055253;
	Fri, 10 Jul 2009 14:32:03 +0200 (CEST) (envelope-from hlh@restart.be)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=restart.be;
	s=avoriaz; t=1247229126;
	bh=ynWlcHTMgLkGhZcs/xWgOh4gJTwVT4EFsQqlWq+SLXM=;
	h=Message-ID:Date:From:MIME-Version:To:Subject:Content-Type:
	Content-Transfer-Encoding;
	b=VtDtprSArc+BGQcwRznBRhT5yH+xLrTxd6RtL/M9N4813UxW0HASKPEbpAqZcBZW7
	I3ckuOy8LOrMeCIcBz/SA==
DomainKey-Signature: a=rsa-sha1; s=avoriaz; d=restart.be; c=nofws; q=dns;
	h=message-id:date:from:organization:user-agent:mime-version:to:
	subject:content-type:content-transfer-encoding:x-scanned-by;
	b=CSRxbeTCecuXE7zCvkpPuYiENX9HFn1EbHTNkU5H4AzQAGHd6XA6KnhAEtka5PT67
	EZtBvR+xQAhilf01f15Gg==
Message-ID: <4A5734C3.3000806@restart.be>
Date: Fri, 10 Jul 2009 14:32:03 +0200
From: Henri Hennebert <hlh@restart.be>
Organization: RestartSoft
User-Agent: Thunderbird 2.0.0.22 (X11/20090627)
MIME-Version: 1.0
To: freebsd-stable@freebsd.org, freebsd-st@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.64 on IPv6:2001:41d0:2:2d29:1:1::
Cc: 
Subject: 8.0-BETA1 - for the record - different paths followed by IPv4 and
 IPv6 for 'local' connections
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2009 12:32:08 -0000

Hello,

After upgrading from 7.2-STABLE to 8.0-BETA1 I encounter a problem when 
connecting with firefox to a local apache server using the global 
unicast IPv6 address of the local machine. pf.conf must be updated!

My configuration:

[root@avoriaz ~]# ifconfig em0

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
	ether 00:1d:60:ad:2a:ce
	inet 192.168.24.1 netmask 0xffffff00 broadcast 192.168.24.255
	inet6 fe80::21d:60ff:fead:2ace%em0 prefixlen 64 scopeid 0x1
	inet6 2001:41d0:2:2d29:1:1:: prefixlen 80
	media: Ethernet 100baseTX (100baseTX <half-duplex>)
	status: active

[root@avoriaz ~]# host www.restart.bel
www.restart.bel is an alias for avoriaz.restart.bel.
avoriaz.restart.bel has address 192.168.24.1
avoriaz.restart.bel has IPv6 address 2001:41d0:2:2d29:1:1::

pf.conf:

int_if="em0"
block in  log all
block out log all
set skip on lo0
antispoof quick for $int_if inet
# Allow trafic with physical internal network
pass in quick on $int_if from ($int_if:network) to ($int_if) keep state
pass out quick on $int_if from ($int_if) to ($int_if:network) keep state

The problem:

[root@avoriaz ~]# telnet -4 www.restart.bel 80
Trying 192.168.24.1...
Connected to avoriaz.restart.bel.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root@avoriaz ~]# telnet -6 www.restart.bel 80
Trying 2001:41d0:2:2d29:1:1::...
--->Never connect and get a timeout!

tcpdump and logging in pf show me that

For a IPv4 connection:
the packet from telnet to apache pass 2 times on lo0 (out and in)
the answer packet from apache to telnet pass 2 times on lo0 (out and in)

So no problem, there is `set skip on lo0'

For a IPv6 connection:
The first packet from telnet to apache pass 2 times on lo0 (out and in)
The answer packet from apache to telnet path on em0  and is rejected
due to the default flags S/SA.

So I have to change pf.conf and replace the last line:
pass out quick on $int_if from ($int_if) to ($int_if:network) \
keep state flags any

Then all is OK

By the way, on 7.2

netstat -rn display

192.168.24.1        00:1d:60:ad:2a:ce
....
2001:41d0:2:2d29:1:1::            00:1d:60:ad:2a:ce


On 8.0-BETA1 there is an assymetry:

netstat -rn display

192.168.24.1       link#3
....
no entry for 2001:41d0:2:2d29:1:1::

Hope it may help someone

Henri