Sashan, I really appreciate your deep dive into this!
Your explanation makes sense; if PF is using the local state to translate the ICMP errors back to IPv4, I can see how it would have to use the addresses available to it from the translation, so the source of the packet is reasonable in this case. My only question about the second case is the MTU reported in the packet-too-big message: > If too-big error will be coming from host RT and error will > will match state created by af-to rule, then firewall will > use IPv4 address from state (a.k.a. destination IP from packet > sent by client). In that case client will see too-big error as > coming from destination host. looks odd but there is nothing > we can do about it. I understand and this makes sense; PF can't report a source IPv6 address that does not have an explicit mapping since that can't be represented in IPv4. Just to double-check, is the MTU in this case (1300) for an IPv6 link? If so, should the MTU be lowered when translated back to IPv4 (20 bytes smaller) to account for the extra bloat of the headers? Or are we already back to IPv4 by the time we hit RT? I'm having a little trouble understanding the topology. > I understand what are you trying to do. I'm afraid I will need > output of ifconfig and pf.conf. Taking a brief look into your source > code I can see icmp6_reflect() is aware of routing domains, so I would > assume things should work too. I will send this under separate cover as a direct message to you. Thanks again, Jason
