On 2014-11-07 14:35, Pieter Verberne wrote:
My problem:
`ping6 fe80::200:24ff:fecd:7df8%pppoe0` with pf disabled is no problem.
ping6, with pf enabled and 'set skip on lo0' does not work very well:
I could reproduce this very easily with a clean -current installation.
OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014
# ifconfig vether0 create
# ifconfig vether0 inet 1.1.1.1 255.0.0.0
# ifconfig vether0 inet6 eui64
# ifconfig vether0
vether0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr fe:e1:ba:d0:bd:e1
priority: 0
groups: vether
media: Ethernet autoselect
status: active
inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255
inet6 fe80::fce1:baff:fed0:bde1%vether0 prefixlen 64 scopeid 0x5
# ping6 fe80::fce1:baff:fed0:bde1%vether0
PING6(56=40+8+8 bytes) fe80::fce1:baff:fed0:bde1%vether0 -->
fe80::fce1:baff:fed0:bde1%vether0
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=0 hlim=64
time=0.407 ms
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=24 hlim=64
time=0.216 ms
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=46 hlim=64
time=0.316 ms
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=67 hlim=64
time=0.276 ms
^C
--- fe80::fce1:baff:fed0:bde1%vether0 ping6 statistics ---
78 packets transmitted, 4 packets received, 94.9% packet loss
round-trip min/avg/max/std-dev = 0.216/0.304/0.407/0.069 ms
comment out 'set skip on lo' (hmm, default pf.conf says 'lo',
not 'lo0')
sudo pfctl -f /etc/pf.conf
# ping6 fe80::fce1:baff:fed0:bde1%vether0
PING6(56=40+8+8 bytes) fe80::fce1:baff:fed0:bde1%vether0 -->
fe80::fce1:baff:fed0:bde1%vether0
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=0 hlim=64
time=0.215 ms
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=1 hlim=64
time=0.372 ms
...
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=35 hlim=64
time=0.218 ms
16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=36 hlim=64
time=0.207 ms
^C
--- fe80::fce1:baff:fed0:bde1%vether0 ping6 statistics ---
37 packets transmitted, 37 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.195/0.262/0.391/0.055 ms
while ping is running and 'set skip on lo' is set:
# pfctl -s all
FILTER RULES:
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
STATES:
all tcp 192.168.56.2:22 <- 192.168.56.1:30613
ESTABLISHED:ESTABLISHED
all tcp 192.168.56.2:22 <- 192.168.56.1:30698
ESTABLISHED:ESTABLISHED
all ipv6-icmp fe80::fce1:baff:fed0:bde1[128] <-
fe80::fce1:baff:fed0:bde1[6521] 0:0
all ipv6-icmp fe80::fce1:baff:fed0:bde1[6521] <-
fe80::fce1:baff:fed0:bde1[128] 0:0
all udp 192.168.56.255:137 <- 192.168.56.1:137 NO_TRAFFIC:SINGLE
INFO:
Status: Enabled for 0 days 00:13:27 Debug: err
State Table Total Rate
current entries 5
searches 2808 3.5/s
inserts 34 0.0/s
removals 29 0.0/s
Counters
match 101 0.1/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 42 0.1/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
translate 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 60s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 1536
tables hard limit 1000
table-entries hard limit 200000
OS FINGERPRINTS:
710 fingerprints loaded
while ping is running and 'set skip on lo' is NOT set:
# pfctl -s all
FILTER RULES:
block return all
pass all flags S/SA
block return in on ! lo0 proto tcp from any to any port 6000:6010
STATES:
all tcp 192.168.56.2:22 <- 192.168.56.1:30613
ESTABLISHED:ESTABLISHED
all tcp 192.168.56.2:22 <- 192.168.56.1:30698
ESTABLISHED:ESTABLISHED
all udp 192.168.56.255:137 <- 192.168.56.1:137 NO_TRAFFIC:SINGLE
all udp 192.168.56.255:8083 <- 192.168.56.1:63348
NO_TRAFFIC:SINGLE
all ipv6-icmp fe80::fce1:baff:fed0:bde1[24222] ->
fe80::fce1:baff:fed0:bde1[128] 0:0
all ipv6-icmp fe80::fce1:baff:fed0:bde1[128] <-
fe80::fce1:baff:fed0:bde1[24222] 0:0
INFO:
Status: Enabled for 0 days 00:16:27 Debug: err
State Table Total Rate
current entries 6
searches 3292 3.3/s
inserts 42 0.0/s
removals 36 0.0/s
Counters
match 168 0.2/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 101 0.1/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
translate 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening 30s
tcp.established 86400s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff 30s
udp.first 60s
udp.single 30s
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single 30s
other.multiple 60s
frag 60s
interval 10s
adaptive.start 6000 states
adaptive.end 12000 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 1536
tables hard limit 1000
table-entries hard limit 200000
OS FINGERPRINTS:
710 fingerprints loaded
#
Hmm, the skip rule is not displayed in 'pfctl -s rules'.
