Li, Qing wrote:
Hi,
Please try patch-7-10 in my home directory http://people.freebsd.org/~qingli/
and let me know how it works out for you. I thought I had committed the patch
but turned out I didn't.
I apply the patch, reset my pf.conf to its previous content and all is
running smoothly. By the way, I discover after my post that my
"solution" was not working for long (many bytes) connections and this is
solved too.
Many thank for your time
Henri
PS please commit as soon as possible
On 8.0-BETA1 there is an assymetry:
netstat -rn display
192.168.24.1 link#3
....
no entry for 2001:41d0:2:2d29:1:1::
This is by design as part of the new architecture in 8.0, which maintains
the L2 ARP/ND6 and L3 routing tables separately.
-- Qing
-----Original Message-----
From: owner-freebsd-sta...@freebsd.org on behalf of Henri Hennebert
Sent: Fri 7/10/2009 5:32 AM
To: freebsd-stable@freebsd.org; freebsd...@freebsd.org
Subject: 8.0-BETA1 - for the record - different paths followed by IPv4 and IPv6
for 'local' connections
Hello,
After upgrading from 7.2-STABLE to 8.0-BETA1 I encounter a problem when
connecting with firefox to a local apache server using the global
unicast IPv6 address of the local machine. pf.conf must be updated!
My configuration:
[r...@avoriaz ~]# ifconfig em0
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=19b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4>
ether 00:1d:60:ad:2a:ce
inet 192.168.24.1 netmask 0xffffff00 broadcast 192.168.24.255
inet6 fe80::21d:60ff:fead:2ace%em0 prefixlen 64 scopeid 0x1
inet6 2001:41d0:2:2d29:1:1:: prefixlen 80
media: Ethernet 100baseTX (100baseTX <half-duplex>)
status: active
[r...@avoriaz ~]# host www.restart.bel
www.restart.bel is an alias for avoriaz.restart.bel.
avoriaz.restart.bel has address 192.168.24.1
avoriaz.restart.bel has IPv6 address 2001:41d0:2:2d29:1:1::
pf.conf:
int_if="em0"
block in log all
block out log all
set skip on lo0
antispoof quick for $int_if inet
# Allow trafic with physical internal network
pass in quick on $int_if from ($int_if:network) to ($int_if) keep state
pass out quick on $int_if from ($int_if) to ($int_if:network) keep state
The problem:
[r...@avoriaz ~]# telnet -4 www.restart.bel 80
Trying 192.168.24.1...
Connected to avoriaz.restart.bel.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[r...@avoriaz ~]# telnet -6 www.restart.bel 80
Trying 2001:41d0:2:2d29:1:1::...
--->Never connect and get a timeout!
tcpdump and logging in pf show me that
For a IPv4 connection:
the packet from telnet to apache pass 2 times on lo0 (out and in)
the answer packet from apache to telnet pass 2 times on lo0 (out and in)
So no problem, there is `set skip on lo0'
For a IPv6 connection:
The first packet from telnet to apache pass 2 times on lo0 (out and in)
The answer packet from apache to telnet path on em0 and is rejected
due to the default flags S/SA.
So I have to change pf.conf and replace the last line:
pass out quick on $int_if from ($int_if) to ($int_if:network) \
keep state flags any
Then all is OK
By the way, on 7.2
netstat -rn display
192.168.24.1 00:1d:60:ad:2a:ce
....
2001:41d0:2:2d29:1:1:: 00:1d:60:ad:2a:ce
On 8.0-BETA1 there is an assymetry:
netstat -rn display
192.168.24.1 link#3
....
no entry for 2001:41d0:2:2d29:1:1::
Hope it may help someone
Henri
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
