Hello,
I am seeing a behavior in pf that I don't understand.
# uname -mrvp
5.0 GENERIC#36 sparc64 SUNW,UltraSPARC-IIIi (rev 2.4) @ 1062 MHz
When I have the following configured:
(not complete configuration)
ext_if = "hme0"
int_if = "bge0"
ipv6gws = "{ a.b.c.192 a.b.c.193 a.b.c.194 a.b.c.195 }"
block log all
# permit proto 41 to/from ipv6 gws
#pass log quick on $ext_if inet proto 41 from any to any
pass in log quick on $ext_if inet proto 41 from $ipv6gws to ($ext_if)
pass out log quick on $ext_if inet proto 41 from ($ext_if) to $ipv6gws
pfctl -s rules produces:
pass in log quick on hme0 inet proto ipv6 from a.b.c..192 to (hme0)
pass in log quick on hme0 inet proto ipv6 from a.b.c..193 to (hme0)
pass in log quick on hme0 inet proto ipv6 from a.b.c..194 to (hme0)
pass in log quick on hme0 inet proto ipv6 from a.b.c..195 to (hme0)
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..192
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..193
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..194
pass out log quick on hme0 inet proto ipv6 from (hme0) to a.b.c..195
gif interface:
ifconfig gif5 create
ifconfig gif5 tunnel a.b.c.195 x.y.z.38
ifconfig gif5 up
route -n add -inet6 default ::1 -ifp gif5
but this traffic is blocked by pf ($ext_if - hme0 is x.y.z.38):
20:31:03.536279 rule 11/(match) [uid 0, pid 28111] block in on hme0:
a.b.c.195 > x.y.z.38: a:b:c:d::e > a:c:f:13:111:512f:f07a:8193: [|tcp]
(len 28, hlim 57) (ttl 251, id 37052, len 88)
rule 11 is "block log all" from above
but if I uncomment the rule:
pass log quick on $ext_if inet proto 41 from any to any
traffic passes.
NOTE: I have also tried modifying the rules to have $ext_if instead
of ($ext_if) with the same results.
My question is, what is being blocked by the rule?
Thanks,
Mike
