Date: Mon, 2 Sep 2013 12:22:11 +0200 From: Ruben van Staveren <ruben@verweg.com> To: Tim Bishop <tim@bishnet.net> Cc: bz@FreeBSD.org, freebsd-stable@FreeBSD.org, freebsd-pf@FreeBSD.org Subject: Re: Stiil a regression with jails/IPv6/pf? Message-ID: <8A6CE540-7AF3-4472-B0CC-A222036557C0@verweg.com> In-Reply-To: <20130831194951.GC44979@carrick-users.bishnet.net> References: <20130831194951.GC44979@carrick-users.bishnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] Hi, On 31 Aug 2013, at 21:49, Tim Bishop <tim@bishnet.net> wrote: > Hi all, > > This is regarding kern/170070 and these two threads from last year: > > http://lists.freebsd.org/pipermail/freebsd-stable/2012-July/068987.html > http://lists.freebsd.org/pipermail/freebsd-stable/2012-August/069043.html > > I'm running stable/9 r255017 and I'm seeing the same issue, even with > the fix Bjoern committed in r238876. This is still with "modulate state" in some rules that also hit ipv6 traffic ? It almost looks like doing this kind of traffic alteration is considered harmful for IPv6 http://forums.freebsd.org/showthread.php?t=36595 If that is the case, then this should be applicable only to ipv4 traffic, without requiring specific knowledge from the user > > My setup is a dual stack one (IPv6 is done through an IPv4 tunnel) and > the problem is only with IPv6. I have jails with both IPv4 and IPv6 > addresses, and I use pf to rdr certain ports to certain jails. With IPv6 > I'm seeing failed checksums on the packets coming back out of my system, > both with UDP and TCP. > > If I connect over IPv6 to the jail host it works fine. If I connect over > IPv6 to a jail directly (they have routable addresses, but I prefer them > to all be masked behind the single jail host normally), it works fine. > So the only failure case is when it goes through a rdr rule in pf. > > This system replaces a previous one running stable/8 which worked fine > with the same pf config file. > > Has anyone got any suggestions on what I can do to fix this or to debug > it further? > > Thanks, > > Tim. > > -- > Tim Bishop > http://www.bishnet.net/tim/ > PGP Key: 0x6C226B37FDF38D55 > [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iEYEARECAAYFAlIkZtMACgkQZ88+mcQxRw2kTgCeOvKE4byQ2ACgcKOSpiWvrjbE 7sAAnihUaLcLBzVXVqOPLzS8I++i0Mp6 =gZJp -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8A6CE540-7AF3-4472-B0CC-A222036557C0>