Re: ping6 to Link Local disturbed by pf set skip?
On 2014-11-08 11:18, Pieter Verberne wrote: On 2014-11-07 14:35, Pieter Verberne wrote: My problem: `ping6 fe80::200:24ff:fecd:7df8%pppoe0` with pf disabled is no problem. ping6, with pf enabled and 'set skip on lo0' does not work very well: I could reproduce this very easily with a clean -current installation. snip This problem started in 5.1. 5.0 is working. http://www.openbsd.org/51.html: pf(4) improvements: One-shot rule support for pf(4), for use with proxies via anchors. NAT64 support in PF using the af-to keyword. Much improved IPv6 fragment handling. Various enhancements with ICMP and especially ICMPv6 states Improved IPv6 Neighbor Discovery and Multicast Listener Discovery handling. pfctl(8) now prints port numbers instead of service names by default. Netflow v9 and ipfix support for pflow(4). Many pfsync(4) fixes and improvements including jumbo frames and automatically requesting a bulk update after a physical interface comes online.
Re: ping6 to Link Local disturbed by pf set skip?
On 2014-11-07 14:35, Pieter Verberne wrote: My problem: `ping6 fe80::200:24ff:fecd:7df8%pppoe0` with pf disabled is no problem. ping6, with pf enabled and 'set skip on lo0' does not work very well: I could reproduce this very easily with a clean -current installation. OpenBSD 5.6-current (GENERIC) #492: Fri Nov 7 10:21:36 MST 2014 # ifconfig vether0 create # ifconfig vether0 inet 1.1.1.1 255.0.0.0 # ifconfig vether0 inet6 eui64 # ifconfig vether0 vether0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 lladdr fe:e1:ba:d0:bd:e1 priority: 0 groups: vether media: Ethernet autoselect status: active inet 1.1.1.1 netmask 0xff00 broadcast 1.255.255.255 inet6 fe80::fce1:baff:fed0:bde1%vether0 prefixlen 64 scopeid 0x5 # ping6 fe80::fce1:baff:fed0:bde1%vether0 PING6(56=40+8+8 bytes) fe80::fce1:baff:fed0:bde1%vether0 -- fe80::fce1:baff:fed0:bde1%vether0 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=0 hlim=64 time=0.407 ms 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=24 hlim=64 time=0.216 ms 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=46 hlim=64 time=0.316 ms 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=67 hlim=64 time=0.276 ms ^C --- fe80::fce1:baff:fed0:bde1%vether0 ping6 statistics --- 78 packets transmitted, 4 packets received, 94.9% packet loss round-trip min/avg/max/std-dev = 0.216/0.304/0.407/0.069 ms comment out 'set skip on lo' (hmm, default pf.conf says 'lo', not 'lo0') sudo pfctl -f /etc/pf.conf # ping6 fe80::fce1:baff:fed0:bde1%vether0 PING6(56=40+8+8 bytes) fe80::fce1:baff:fed0:bde1%vether0 -- fe80::fce1:baff:fed0:bde1%vether0 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=0 hlim=64 time=0.215 ms 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=1 hlim=64 time=0.372 ms ... 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=35 hlim=64 time=0.218 ms 16 bytes from fe80::fce1:baff:fed0:bde1%vether0, icmp_seq=36 hlim=64 time=0.207 ms ^C --- fe80::fce1:baff:fed0:bde1%vether0 ping6 statistics --- 37 packets transmitted, 37 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.195/0.262/0.391/0.055 ms while ping is running and 'set skip on lo' is set: # pfctl -s all FILTER RULES: block return all pass all flags S/SA block return in on ! lo0 proto tcp from any to any port 6000:6010 STATES: all tcp 192.168.56.2:22 - 192.168.56.1:30613 ESTABLISHED:ESTABLISHED all tcp 192.168.56.2:22 - 192.168.56.1:30698 ESTABLISHED:ESTABLISHED all ipv6-icmp fe80::fce1:baff:fed0:bde1[128] - fe80::fce1:baff:fed0:bde1[6521] 0:0 all ipv6-icmp fe80::fce1:baff:fed0:bde1[6521] - fe80::fce1:baff:fed0:bde1[128] 0:0 all udp 192.168.56.255:137 - 192.168.56.1:137 NO_TRAFFIC:SINGLE INFO: Status: Enabled for 0 days 00:13:27 Debug: err State Table Total Rate current entries5 searches28083.5/s inserts 340.0/s removals 290.0/s Counters match1010.1/s bad-offset 00.0/s fragment 00.0/s short 00.0/s normalize 00.0/s memory 00.0/s bad-timestamp 00.0/s congestion 00.0/s ip-option 00.0/s proto-cksum00.0/s state-mismatch 00.0/s state-insert 420.1/s state-limit00.0/s src-limit 00.0/s synproxy 00.0/s translate 00.0/s TIMEOUTS: tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 60s interval 10s adaptive.start 6000 states adaptive.end 12000 states src.track 0s LIMITS: stateshard limit1 src-nodes hard limit1 frags hard limit 1536 tableshard limit 1000 table-entries hard limit
ping6 to Link Local disturbed by pf set skip?
Hi all, When I add an ip address to an interface in OpenBSD 5.6 it will create two routes: 172.16/16 link#15UC 00 - 4 vether99 172.16.25.1fe:e1:ba:d1:50:44 UHLl 00 - 1 lo0 before it would only create: 172.16/16 link#15UC 00 - 4 vether99 New behaviour since 5.6? Oke My problem: `ping6 fe80::200:24ff:fecd:7df8%pppoe0` with pf disabled is no problem. ping6, with pf enabled and 'set skip on lo0' does not work very well: --- fe80::200:24ff:fecd:7df8%pppoe0 ping6 statistics --- 58 packets transmitted, 3 packets received, 94.8% packet loss round-trip min/avg/max/std-dev = 0.320/0.393/0.491/0.072 ms pf enabled and 'set skip on lo0' NOT set; works perfectly fine. A situation: 'set skip on lo0' is set. ping6 is running. I remove 'set skip on lo0' and enable the change with pfctl: 16 bytes from fe80::200:24ff:fecd:7df8%pppoe0, icmp_seq=69 hlim=64 time=0.333 ms 16 bytes from fe80::200:24ff:fecd:7df8%pppoe0, icmp_seq=92 hlim=64 time=0.310 ms ping6: sendmsg: No route to host ping6: wrote fe80::200:24ff:fecd:7df8%pppoe0 16 chars, ret=-1 ping6: sendmsg: No route to host ping6: wrote fe80::200:24ff:fecd:7df8%pppoe0 16 chars, ret=-1 ping6: sendmsg: No route to host ping6: wrote fe80::200:24ff:fecd:7df8%pppoe0 16 chars, ret=-1 ping6: sendmsg: No route to host ping6: wrote fe80::200:24ff:fecd:7df8%pppoe0 16 chars, ret=-1 16 bytes from fe80::200:24ff:fecd:7df8%pppoe0, icmp_seq=116 hlim=64 time=0.332 ms 16 bytes from fe80::200:24ff:fecd:7df8%pppoe0, icmp_seq=117 hlim=64 time=0.270 ms The first two ping replies are the 3,2% that were working. After the 'No route to host' messages, ping starts responding normally. I have seen no trouble with IPv4. Greets, Pieter $ ifconfig pppoe0 pppoe0: flags=8851UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST mtu 1492 priority: 0 dev: vlan6 state: session sid: 0x159 PADI retries: 0 PADR retries: 0 time: 00:11:49 sppp: phase network authproto pap groups: pppoe egress status: active inet6 fe80::200:24ff:fecd:7df8%pppoe0 - prefixlen 64 scopeid 0xb inet 80.100.141.131 -- 194.109.5.175 netmask 0x $ $ netstat -rn Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface default194.109.5.175 UGS3 3547 - 8 pppoe0 10.0/16link#8 UC 00 - 4 vether0 10.0.0.1 fe:e1:ba:d0:81:54 UHLl 00 - 1 lo0 80.100.141.131 127.0.0.1 UHl00 - 1 lo0 127/8 127.0.0.1 UGRS 00 32768 8 lo0 127.0.0.1 127.0.0.1 UH 10 32768 4 lo0 194.109.5.175 80.100.141.131 UH 00 - 4 pppoe0 224/4 127.0.0.1 URS00 32768 8 lo0 Internet6: DestinationGatewayFlags Refs Use Mtu Prio Iface ::/104 ::1UGRS 00 32768 8 lo0 ::/96 ::1UGRS 00 32768 8 lo0 ::1::1UH 140 32768 4 lo0 ::127.0.0.0/104::1UGRS 00 32768 8 lo0 ::224.0.0.0/100::1UGRS 00 32768 8 lo0 ::255.0.0.0/104::1UGRS 00 32768 8 lo0 :::0.0.0.0/96 ::1UGRS 00 32768 8 lo0 2002::/24 ::1UGRS 00 32768 8 lo0 2002:7f00::/24 ::1UGRS 00 32768 8 lo0 2002:e000::/20 ::1UGRS 00 32768 8 lo0 2002:ff00::/24 ::1UGRS 00 32768 8 lo0 fe80::/10 ::1UGRS 00 32768 8 lo0 fe80::%lo0/64 fe80::1%lo0U 00 - 4 lo0 fe80::1%lo0fe80::1%lo0UHLl 00 - 1 lo0 fe80::%pppoe0/64 fe80::200:24ff:fecd:7df8%pppoe0 U 00 - 4 pppoe0 fe80::200:24ff:fecd:7df8%pppoe0::1Hl 0 889 - 1 lo0 fec0::/10 ::1UGRS 00 32768 8 lo0 ff01::/16 ::1UGRS 00 32768
