My configuration drops ICMP6_TIME_EXCEEDED crossing rdomains.
I can't find a problem with the setup.
If this is my fault, please tell me.
I have an IP6 connection via SIXXS. I put gif0 in its own rdomain
so I could isolate the tunnel endpoint addresses.# outgoing from internals
pf.conf:
pass out quick on lo2 \
inet6 \
to ! $net6 \
rtable 1 \
label lo2out
pass in quick on gif0 \
inet6 \
to <valid6> \
rtable 0 \
label ip6in
river:gwes:5720$ netstat -rn -f inet6
Routing tables
Internet6:
Destination Gateway FlagsRefs Use Mtu Prio Iface
::/104 ::1 UGRS 0 0 - 8 lo0
::/96 ::1 UGRS 0 0 - 8 lo0
default ::2 UGS 739 22876 - 8 lo2
[paths to local hosts omitted]
river:gwes:5724$ netstat -T 1 -rn -f inet6
Routing tables
Internet6:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 2001:4830:1100:2db::1 UGS 0 22952 - 8 gif0
::1 link#7 UHL 0 0 - 4 lo0
ping6 to any external host works
traceroute6 using ICMP6 ECHO works
traceroute6 using UDP returns nothing
I can see the TIME_EXCEEDED packets coming in gif0 using tcpdump
I can't see them after that. They seem to disappear somewhere in
PF leaving no trace.
My first thought is that the outgoing state is marked with rdomain 0.
The returned packet is marked with rdomain 1.
It looks like ECHO packets and TIME_EXCEEDED packets go through different
paths in incoming state matching.
It looks like TIME_EXCEEDED packets can't match because of
the different rdomains and therefore get dropped invisibly.
Comments? Flames? RTFMs?
thanks
Geoff Steckel
