On Sun, Apr 05, 2009 at 10:48:21PM -0700, Aaron Stellman wrote: > On Sun, Apr 05, 2009 at 10:43:17PM -0700, Aaron Stellman wrote: > > Sorry, this machine is running 4.4 and I'm unable to upgrade it to > > current, since I only have remote access to it. > > > > My goal is to have operational ipv6 tunnel. Whenever appropriate gif0 is > > created and default route through it is added, ipv6 traffic is not > > allowed out. > > > > As far as I understand, there must be a state, which will allow ipv6 > > traffic out. this state is never created as seen by 'loud' level: > > > > Apr 6 00:19:50 D2710 /bsd: pf: stack key attach failed on all: 41 out > > wire: 209.51.181.2 12.158.188.186 stack: 209.51.181.2 12.158.188.186 1:0 > > Apr 6 00:19:51 D2710 /bsd: pf: stack key attach failed on all: 41 out > > wire: 209.51.181.2 12.158.188.186 stack: 209.51.181.2 12.158.188.186 1:0 > > Whenever I ping6 this box from "outside", appropriate state is created, > and only then ipv6 traffic is able to go out. > > all ipv6 12.158.188.186 <- 209.51.181.2 MULTIPLE:MULTIPLE > By commenting out half the ruleset, and doing that recursively until finding which rule causes it, I found it it be:
nat on $ext_if from !self to any -> ($ext_if:0) In other words, same rulset w/o rule above creates a proper state: all ipv6 12.158.188.186 -> 209.51.181.2 MULTIPLE:MULTIPLE
