IPv6, pf and gif tunnels

To: tech-userlevel%netbsd.org@localhost
Subject: IPv6, pf and gif tunnels
From: Anthony Mallet <anthony.mallet%laas.fr@localhost>
Date: Fri, 21 Dec 2012 12:28:03 +0100

Hi,

Just wondering what is the status of "pf" wrt. IPv6 and gif interfaces?
I'm currently fighting with pf on a -current 6.99.15 NetBSD from Nov 12, and I
can't find what I'm doing wrong :)

I'm basically doing
 pass in on { $dsl, $he } proto tcp from any to any port ssh \
     flags S/SA synproxy state (max-src-conn-rate 4/60)

where $dsl is a regular rtk IPv4+IPv6 interface and $he an IPv6-only gif
tunnel. It's working fine on IPv4, but I get "/netbsd: cksum: out of data"
kernel messages as soon as an ssh packet arrives on either of the IPv6 ifaces,
with logs like "tcp 40 [bad hdr length 0 - too short, < 20]".

What is weird is that if I just do 
 pass in on $dsl proto tcp from any to any port ssh \
     flags S/SA synproxy state (max-src-conn-rate 4/60)
(i.e. filter only on the regular rtk interface), it works for both IPv4 and
IPv6, algthough I sometimes get spurious cksum: out of data messages.

So I'm wondering if there is something wrong with pf+ipv6+gif, or if I missed
something, or...
Any idea? I can provide more details on request.

Thanks
Anthony

Prev by Date: Re: bug in sh, probably, with test case
Next by Date: Re: bug in sh, probably, with test case
Previous by Thread: bug in sh, probably, with test case
Next by Thread: ancient less, bug, git
Indexes:

Home | Main Index | Thread Index | Old Index