From owner-freebsd-net@freebsd.org  Tue Jan 23 21:01:10 2018
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 2FF76EC71F5
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Tue, 23 Jan 2018 21:01:10 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com
 [IPv6:2a00:1450:4010:c07::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id A52766ED65;
 Tue, 23 Jan 2018 21:01:09 +0000 (UTC)
 (envelope-from asomers@gmail.com)
Received: by mail-lf0-x229.google.com with SMTP id g72so2371425lfg.5;
 Tue, 23 Jan 2018 13:01:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:sender:in-reply-to:references:from:date:message-id
 :subject:to:cc;
 bh=CpFFpX/P4kicMerIavPVzUd5F+yBexeg8N5S6ekDJ4I=;
 b=Pz7sDvQxSxcP3cJ8UGD1dWvr4FPWE2EirtaGTm2sePCqKPEEarUpEQx97l4Jy3rBv0
 di/0+jsZo676oa3DHO8/2/wISPZlSbphKwNpBJVx1AMZ97EE7ddetg85rcLQ311f7DEr
 izpwmEQOGd0ekAUkpISRTBUQyuMPYq1wUnDji+k3CNcmY57rYHR37Bii+bDzt6f5ekLe
 z9NCSbS/PeuqiymgZuYHq16LJkkO4Afm9Gcv9WJVSSenr776jIbemty50pDphsxYFC74
 0tGiY7wCTHKFz+qKoV7Ed8I3b8/5w/8nnvb1c7ftkns1B1O+/Bj4onMZvBbqJYTJy/Gf
 1OLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
 :date:message-id:subject:to:cc;
 bh=CpFFpX/P4kicMerIavPVzUd5F+yBexeg8N5S6ekDJ4I=;
 b=FR5ENClh6xOedSaWWtcsA95KgsrSOuf/vuH7meXdFVsdzj2W45nc5b3Ell/0q55SaO
 ZB23OdohnoCDksLsj49L+nCbWsI4bjytkiWHWSc1G93SRQX6qkulQw/PVoPAQLKvpFbq
 nNw3dCaBG2GMROq/Ga82exPG1iJ1faLGSSKhO9K4+VAjP4tjX+vA9yDe2WH3uCljAUiM
 6soFXJ6sFd+c0QYAfg9D2dmOT1CyJJ5XT6bzWOyB1Zkr/BqpZrQzLvMfkzLUqfMBFMf7
 ZRziPJTzWjXKlooEbb94gy/Zpk2f5uzcz2PylSsCvpokmEFphOKG7SXVVdt2/tytZzEW
 Ssbg==
X-Gm-Message-State: AKwxytcg9bLOon8NvJF3X3BqJbLPWG3zeA27B+VasAjIA8KuOdbHQWUC
 3dIaXSTsqADINIL869Ql3mpZWLurtd2/EKahzwPsTw==
X-Google-Smtp-Source: AH8x224GAYUnBaK/GMNZYnHTrWeQIEPkhwyiuWHmXeADK0UbZtGJzqbSxqXFAWACXMAleFZs+dOn9lbbkW6NGMaThrw=
X-Received: by 10.25.151.209 with SMTP id z200mr1937471lfd.41.1516741267708;
 Tue, 23 Jan 2018 13:01:07 -0800 (PST)
MIME-Version: 1.0
Sender: asomers@gmail.com
Received: by 10.179.87.131 with HTTP; Tue, 23 Jan 2018 13:01:07 -0800 (PST)
In-Reply-To: <5A6781E9.5060405@grosbein.net>
References: <CAOtMX2j80odQ7+t3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com>
 <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru>
 <CAOtMX2jroiz57KyQZUk+4aW4=_1m=Qs7wEP=_3pEVL+E2jg22A@mail.gmail.com>
 <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru>
 <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com>
 <5A6781E9.5060405@grosbein.net>
From: Alan Somers <asomers@freebsd.org>
Date: Tue, 23 Jan 2018 14:01:07 -0700
X-Google-Sender-Auth: 2Y5mLdVXdM_RQ0wjsIDW0rLIkRw
Message-ID: <CAOtMX2h+U82k6+B_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com>
Subject: Re: pf: redirect a packet's port but not its address?
To: Eugene Grosbein <eugen@grosbein.net>
Cc: "Andrey V. Elsukov" <bu7cher@yandex.ru>,
 FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.25
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 21:01:10 -0000

On Tue, Jan 23, 2018 at 11:41 AM, Eugene Grosbein <eugen@grosbein.net>
wrote:

> 24.01.2018 1:26, Alan Somers wrote :
>
> >> # ipfw add fwd ::1,5678 tcp from any to any 4000
> >> # nc -6 -l ::1 5678
> >>
> >> And from another host tried:
> >> # telnet -6 fc00::1 4000
> >>
> >> And this works.
> >>
> >
> > This does not work for me.  When I try, tcpdump shows that the host
> running
> > ipfw returns an RST packet when it receives a SYN for port 4000.  That
> > sounds like the fwd rule isn't working.  And it's probably not working
> > because I'm a total ipfw n00b.  Is there anything else I need to
> configure
> > in ipfw first?  My rc.conf file looks like:
> >
> > firewall_enable="YES"
> > firewall_type="open"
>
> ipfw rules are always numbered and while ipfw allows you to not specify
> rule number
> when adding, it is wise to always specify it, or else it adds rules to the
> end of the list
> and that is not what you want dealing with pre-defined "open" ruleset.
>
> In short, use "ipfw add 2000 fwd ::1,5678 tcp from any to any 4000"
> Use "ipfw show" to check it out before and after running this command


Thanks.  It works now, at least for global addresses.  But the fwd rule
does not work for link-local addresses.  When I try, the ACK packet gets
dropped because it violates IPv6 scope rules.  A custom dtrace probe shows
that ipfw is apparently not setting the embedded scope identifier on the
forwarded packet.  The address should be "fe80:2:0:0:215:17ff:fee9:3079"
but it's actually "fe80:0:0:0:215:17ff:fee9:3079".  This is similar to the
problems I ran into with pf.  In fact, I never did get pf working with
link-local addresses either.

-Alan