I have tripped over what I believe is a bug in pf. On my test machine I have this fairly simple ruleset: =============================================== set block-policy return set skip on lo0 block in all pass out proto { tcp, udp } all keep state pass in proto {icmp,icmp6} all pass out proto {icmp,icmp6} all pass in proto tcp from any to (self) port 22 =============================================== After booting the machine ifconfig for em0 looks like this: em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active The problem is that when I try to ssh to the machine the connection is not allowed through: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection refused I have tried various things when I tried to figure out what is going on here. In this case it helps to add another IPv6 address to em0: ifconfig em0 inet6 2001:6c8:6:6::2 em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:73:96:a9 inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1 inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255 inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf inet6 2001:6c8:6:6::2 prefixlen 64 nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active After doing this, ssh works: [xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9 Last login: Tue Apr 6 21:56:48 2010 from 10.1.0.2 I have observed this problem on 7.3, 8.0 and -CURRENT (From april 1). I can mention that changing "(self)" to "self" in the ruleset works as expected and the problem returns when changing it back. When I see this behaviour, it can also be "fixed" by adding another interface, eg. "ifconfig gif0 create". I hope that this makes sense and that someone more familiar with the inner workings of pf is able to reproduce it. I like using "(self)" but when it doesn't work reliably I'm forced to resort to workarounds. If I need to provide more info, I'll be happy to do so. Thanks in advance. How-To-Repeat: Use "(self)" in your pf ruleset along with IPv6. I have not been able to figure out exactly when this behaviour is triggered but it has happened to me often enough to be annoying.
Responsible Changed From-To: freebsd-bugs->freebsd-pf Over to maintainer(s).
Just to make sure I reproduced it on -CURRENT from yesterday. FreeBSD pftest.borderworlds.dk 9.0-CURRENT FreeBSD 9.0-CURRENT #1: Sat May 22 21:53:04 CEST 2010 root@pftest.borderworlds.dk:/usr/obj/usr/src/sys/GENERIC i386 If I configure IPv6 via rc.conf this line: ifconfig_em0_ipv6="RTADV" Then the problem isn't there. "(self)" matches the autoconfigured address. However, if I remove that line from rc.conf and manually run the following sequence of commands: ifconfig em0 inet6 -ifdisabled ifconfig em0 inet6 auto_linklocal ifconfig em0 inet6 accept_rtadv and then wait for the autoconfigured address to appear on the interface. Then the problem I have described manifests itself. -- Christian Laursen
I'm seeing the same on a dual-stacked 8.2-RELEASE box here. The box has two IPv6-addresses, one of which is assigned to a jail. (and = thus gets configured after boot). It's the jail-ip that doesn't get matched = by '(self)'. --=20 Kenneth Vestergaard
As far as I can tell, the patch below fixes. I'm not sure about the semantics of "we don't need to install a host = route", but the eventhandler-part was added to the bottom of the case-scope, and = seemingly just missed dealing with the non-error early exit when prefixlen of a new address is = 128. Index: sys/netinet6/in6.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- sys/netinet6/in6.c (revision 225328) +++ sys/netinet6/in6.c (working copy) @@ -589,6 +589,8 @@ pr0.ndpr_plen =3D = in6_mask2len(&ifra->ifra_prefixmask.sin6_addr, NULL); if (pr0.ndpr_plen =3D=3D 128) { + if (error =3D=3D 0 && ia) + EVENTHANDLER_INVOKE(ifaddr_event, ifp); break; /* we don't need to install a host = route. */ } pr0.ndpr_prefix =3D ifra->ifra_addr; --=20 Kenneth Vestergaard=
The patch Kenneth has submitted does not fix my case, unfortunately. However, the following patch seems to work for me. --- nd6_rtr.c.orig 2011-09-24 20:24:25.000000000 +0200 +++ nd6_rtr.c 2011-09-24 20:20:57.000000000 +0200 @@ -1303,6 +1303,8 @@ * XXX: what if address duplication happens? */ pfxlist_onlink_check(); + + EVENTHANDLER_INVOKE(ifaddr_event, ifp); } else { /* just set an error. do not bark here. */ error = EADDRNOTAVAIL; /* XXX: might be unused. */ -- Christian Laursen
Responsible Changed From-To: freebsd-pf->bz Try to look at over the weekend.
Responsible Changed From-To: bz->gnn I shall not use bugzilla (at least until we will have a CLI).
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped