Hi -- On 29.12.2012, at 13:07, Kimmo Paasiala <[email protected]> wrote: > On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana <[email protected]> > wrote: >> On 12/28/2012 05:59 AM, Michael Grimm wrote:
>>> I do run both my primary and secondary nameservers (distinct servers) in >>> FreeBSD jails1 and jail2 as outlined below: >> <snip> >>> I do see using tcpdump at server1: >>> >>> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 (0x86dd), >>> length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) payload length: >>> 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S], >>> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss >>> 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0 >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> 9.1's PF appears to be either corrupting or not updating the packet >> checksum when it touches IPv6 packets. I was not able to figure out how >> or why in my brief perusal of the source, but it seems to affect more >> than just NAT66. >> >> http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Invalid-Checksum-td5769669.html > > Afaik any kind of NAT on IPv6 is broken with pf(4) at the moment. > I've been told to change my outgoing rule from ... | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate state ... to ... | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all ... and that did the trick! No more checksum and timeout errors. Now it works as expected. Just for me to learn: What change in code from 9.0 to 9.1 made that first rule break? I used that rule since 7.0, IIRC. And one last question: I do have "modulate state" for the corresponding IPv4 rule as well. Should I modify that as well? Sorry for that dumb question, but I don't know pf good enough to judge myself. Thanks for your help, and with kind regards, Michael _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
