FW: 8.0-BETA1 - for the record - different paths followed by
IPv4and IPv6 for 'local' connections
Li, Qing
qing.li at bluecoat.com
Fri Jul 10 22:20:09 UTC 2009
-----Original Message-----
From: owner-freebsd-stable at freebsd.org on behalf of Li, Qing
Sent: Fri 7/10/2009 2:51 PM
To: Henri Hennebert; freebsd-stable at freebsd.org; freebsd-st at freebsd.org
Subject: RE: 8.0-BETA1 - for the record - different paths followed by IPv4and IPv6 for 'local' connections
Hi,
Please try patch-7-10 in my home directory http://people.freebsd.org/~qingli/
and let me know how it works out for you. I thought I had committed the patch
but turned out I didn't.
>
> On 8.0-BETA1 there is an assymetry:
>
> netstat -rn display
>
> 192.168.24.1 link#3
> ....
> no entry for 2001:41d0:2:2d29:1:1::
>
This is by design as part of the new architecture in 8.0, which maintains
the L2 ARP/ND6 and L3 routing tables separately.
-- Qing
-----Original Message-----
From: owner-freebsd-stable at freebsd.org on behalf of Henri Hennebert
Sent: Fri 7/10/2009 5:32 AM
To: freebsd-stable at freebsd.org; freebsd-st at freebsd.org
Subject: 8.0-BETA1 - for the record - different paths followed by IPv4 and IPv6 for 'local' connections
Hello,
After upgrading from 7.2-STABLE to 8.0-BETA1 I encounter a problem when
connecting with firefox to a local apache server using the global
unicast IPv6 address of the local machine. pf.conf must be updated!
My configuration:
[root at avoriaz ~]# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
ether 00:1d:60:ad:2a:ce
inet 192.168.24.1 netmask 0xffffff00 broadcast 192.168.24.255
inet6 fe80::21d:60ff:fead:2ace%em0 prefixlen 64 scopeid 0x1
inet6 2001:41d0:2:2d29:1:1:: prefixlen 80
media: Ethernet 100baseTX (100baseTX <half-duplex>)
status: active
[root at avoriaz ~]# host www.restart.bel
www.restart.bel is an alias for avoriaz.restart.bel.
avoriaz.restart.bel has address 192.168.24.1
avoriaz.restart.bel has IPv6 address 2001:41d0:2:2d29:1:1::
pf.conf:
int_if="em0"
block in log all
block out log all
set skip on lo0
antispoof quick for $int_if inet
# Allow trafic with physical internal network
pass in quick on $int_if from ($int_if:network) to ($int_if) keep state
pass out quick on $int_if from ($int_if) to ($int_if:network) keep state
The problem:
[root at avoriaz ~]# telnet -4 www.restart.bel 80
Trying 192.168.24.1...
Connected to avoriaz.restart.bel.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root at avoriaz ~]# telnet -6 www.restart.bel 80
Trying 2001:41d0:2:2d29:1:1::...
--->Never connect and get a timeout!
tcpdump and logging in pf show me that
For a IPv4 connection:
the packet from telnet to apache pass 2 times on lo0 (out and in)
the answer packet from apache to telnet pass 2 times on lo0 (out and in)
So no problem, there is `set skip on lo0'
For a IPv6 connection:
The first packet from telnet to apache pass 2 times on lo0 (out and in)
The answer packet from apache to telnet path on em0 and is rejected
due to the default flags S/SA.
So I have to change pf.conf and replace the last line:
pass out quick on $int_if from ($int_if) to ($int_if:network) \
keep state flags any
Then all is OK
By the way, on 7.2
netstat -rn display
192.168.24.1 00:1d:60:ad:2a:ce
....
2001:41d0:2:2d29:1:1:: 00:1d:60:ad:2a:ce
On 8.0-BETA1 there is an assymetry:
netstat -rn display
192.168.24.1 link#3
....
no entry for 2001:41d0:2:2d29:1:1::
Hope it may help someone
Henri
_______________________________________________
freebsd-stable at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
_______________________________________________
freebsd-stable at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list