- edited description
pf(4) "set skip on lo" doesn't work with IPv6
Issue #82
new
settings
minimal test case is following:
- /etc/pf.conf
set skip on lo
block return in log
pass in quick proto tcp to port { ssh }
pass in quick inet6 proto ipv6-icmp
pass out quick
- /etc/ifconfig.*
up
inet 192.0.2.100 netmask 0xffffff00
inet6 2001:db8::192:0:2:100 prefixlen 32
- /etc/rc.conf
pf=YES
pflogd=YES
how to repeat
just attempt to login ssh -6 self
$ ssh -6 2001:db8::192:0:2:100
ssh: connect to host 2001:db8::192:0:2:100 port 22: Connection timed out
set skip on lo may not filter packet between same interface connection(i believe),
but it seems blocked and connection timeout with following kernel error messages.
(why timeout? block default policy is return so if packed was blocked, connection may be refused but not).
Oct 7 00:03:29 xxxxxxxxxx /netbsd: in_cksum: out of data
Oct 7 00:04:11 xxxxxxxxxx /netbsd: in_cksum: out of data
Oct 7 00:06:27 xxxxxxxxxx /netbsd: in_cksum: out of data
unfortunately, pflog + tcpdump says never packed was blocked.
$ sudo tcpdump -n -e -ttt -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
without set skip on lo line, all works fine.
Comments (3)
-
reporter
-
reporter
- edited description
-
reporter
here is IPv6(ip6_output.c) debugging information(in japanese)
- Log in to comment