My configuration drops ICMP6_TIME_EXCEEDED crossing rdomains. I can't find a problem with the setup. If this is my fault, please tell me.
I have an IP6 connection via SIXXS. I put gif0 in its own rdomain so I could isolate the tunnel endpoint addresses.# outgoing from internals pf.conf: pass out quick on lo2 \ inet6 \ to ! $net6 \ rtable 1 \ label lo2out pass in quick on gif0 \ inet6 \ to <valid6> \ rtable 0 \ label ip6in river:gwes:5720$ netstat -rn -f inet6 Routing tables Internet6: Destination Gateway FlagsRefs Use Mtu Prio Iface ::/104 ::1 UGRS 0 0 - 8 lo0 ::/96 ::1 UGRS 0 0 - 8 lo0 default ::2 UGS 739 22876 - 8 lo2 [paths to local hosts omitted] river:gwes:5724$ netstat -T 1 -rn -f inet6 Routing tables Internet6: Destination Gateway Flags Refs Use Mtu Prio Iface default 2001:4830:1100:2db::1 UGS 0 22952 - 8 gif0 ::1 link#7 UHL 0 0 - 4 lo0 ping6 to any external host works traceroute6 using ICMP6 ECHO works traceroute6 using UDP returns nothing I can see the TIME_EXCEEDED packets coming in gif0 using tcpdump I can't see them after that. They seem to disappear somewhere in PF leaving no trace. My first thought is that the outgoing state is marked with rdomain 0. The returned packet is marked with rdomain 1. It looks like ECHO packets and TIME_EXCEEDED packets go through different paths in incoming state matching. It looks like TIME_EXCEEDED packets can't match because of the different rdomains and therefore get dropped invisibly. Comments? Flames? RTFMs? thanks Geoff Steckel