From xi@talaxian.borderworlds.dk  Sat May 22 15:03:47 2010
Return-Path: <xi@talaxian.borderworlds.dk>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7B18C106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 22 May 2010 15:03:47 +0000 (UTC)
	(envelope-from xi@talaxian.borderworlds.dk)
Received: from talaxian.borderworlds.dk (talaxian.nrv.borderworlds.dk [188.177.140.243])
	by mx1.freebsd.org (Postfix) with ESMTP id 3A2208FC12
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 22 May 2010 15:03:46 +0000 (UTC)
Received: by talaxian.borderworlds.dk (Postfix, from userid 1001)
	id 9C352171A6; Sat, 22 May 2010 17:03:44 +0200 (CEST)
Message-Id: <20100522150344.9C352171A6@talaxian.borderworlds.dk>
Date: Sat, 22 May 2010 17:03:44 +0200 (CEST)
From: Christian Laursen <xi@borderworlds.dk>
Reply-To: Christian Laursen <xi@borderworlds.dk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [pf] "(self)" not always mathing all local IPv6 addresses 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         146832
>Category:       kern
>Synopsis:       [pf] "(self)" not always matching all local IPv6 addresses
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gnn
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 22 15:10:01 UTC 2010
>Closed-Date:    
>Last-Modified:  Sun May 18 05:00:56 UTC 2014
>Originator:     Christian Laursen
>Release:        FreeBSD 8.0-RELEASE-p2 amd64
>Organization:
The Border Worlds 
>Environment:
System: FreeBSD talaxian.borderworlds.dk 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #4: Thu Jan 7 21:11:54 CET 2010 root@talaxian.borderworlds.dk:/usr/obj/usr/src/sys/TALAXIAN amd64


	
>Description:
I have tripped over what I believe is a bug in pf.

On my test machine I have this fairly simple ruleset:
===============================================
set block-policy return
set skip on lo0

block in all

pass out proto { tcp, udp } all keep state

pass in proto {icmp,icmp6} all
pass out proto {icmp,icmp6} all

pass in proto tcp from any to (self) port 22
===============================================

After booting the machine ifconfig for em0 looks like this:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:73:96:a9
        inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
        inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
        inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

The problem is that when I try to ssh to the machine the connection is not allowed through:
[xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
ssh: connect to host 2001:6c8:6:6:a00:27ff:fe73:96a9 port 22: Connection refused

I have tried various things when I tried to figure out what is going on here. In this case it helps to add another IPv6 address to em0:

ifconfig em0 inet6 2001:6c8:6:6::2

em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
        ether 08:00:27:73:96:a9
        inet6 fe80::a00:27ff:fe73:96a9%em0 prefixlen 64 scopeid 0x1
        inet 10.1.0.40 netmask 0xffff0000 broadcast 10.1.255.255
        inet6 2001:6c8:6:6:a00:27ff:fe73:96a9 prefixlen 64 autoconf
        inet6 2001:6c8:6:6::2 prefixlen 64
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active

After doing this, ssh works:

[xi@talaxian ~]$ ssh 2001:6c8:6:6:a00:27ff:fe73:96a9
Last login: Tue Apr  6 21:56:48 2010 from 10.1.0.2

I have observed this problem on 7.3, 8.0 and -CURRENT (From april 1).

I can mention that changing "(self)" to "self" in the ruleset works as expected and the problem returns when changing it back.

When I see this behaviour, it can also be "fixed" by adding another interface, eg. "ifconfig gif0 create".

I hope that this makes sense and that someone more familiar with the inner workings of pf is able to reproduce it. I like using "(self)" but when it doesn't work reliably I'm forced to resort to workarounds.

If I need to provide more info, I'll be happy to do so.

Thanks in advance.

>How-To-Repeat:
Use "(self)" in your pf ruleset along with IPv6.

I have not been able to figure out exactly when this behaviour is triggered but it has happened to me often
enough to be annoying.

	
>Fix:

	


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat May 22 16:39:33 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146832 

From: Christian Laursen <xi@borderworlds.dk>
To: bug-followup@FreeBSD.org, xi@borderworlds.dk
Cc:  
Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6
 addresses
Date: Sun, 23 May 2010 15:50:16 +0200

 Just to make sure I reproduced it on -CURRENT from yesterday.
 
 FreeBSD pftest.borderworlds.dk 9.0-CURRENT FreeBSD 9.0-CURRENT #1: Sat 
 May 22 21:53:04 CEST 2010 
 root@pftest.borderworlds.dk:/usr/obj/usr/src/sys/GENERIC  i386
 
 If I configure IPv6 via rc.conf this line:
 ifconfig_em0_ipv6="RTADV"
 
 Then the problem isn't there. "(self)" matches the autoconfigured address.
 
 
 However, if I remove that line from rc.conf and manually run the 
 following sequence of commands:
 
 ifconfig em0 inet6 -ifdisabled
 ifconfig em0 inet6 auto_linklocal
 ifconfig em0 inet6 accept_rtadv
 
 and then wait for the autoconfigured address to appear on the interface.
 
 Then the problem I have described manifests itself.
 
 -- 
 Christian Laursen

From: Kenneth Vestergaard <kvs@binarysolutions.dk>
To: bug-followup@FreeBSD.org,
 xi@borderworlds.dk
Cc:  
Subject: Re: kern/146832: [pf] (self) not always matching all local IPv6 addresses
Date: Fri, 23 Sep 2011 22:10:46 +0200

 I'm seeing the same on a dual-stacked 8.2-RELEASE box here.
 
 The box has two IPv6-addresses, one of which is assigned to a jail. (and =
 thus
 gets configured after boot). It's the jail-ip that doesn't get matched =
 by '(self)'.
 
 
 --=20
 Kenneth Vestergaard
 
 

From: Kenneth Vestergaard <kvs@binarysolutions.dk>
To: Kenneth Vestergaard <kvs@binarysolutions.dk>
Cc: bug-followup@FreeBSD.org,
 xi@borderworlds.dk
Subject: Re: kern/146832: [pf] (self) not always matching all local IPv6 addresses
Date: Sat, 24 Sep 2011 16:56:55 +0200

 As far as I can tell, the patch below fixes.
 
 I'm not sure about the semantics of "we don't need to install a host =
 route", but the
 eventhandler-part was added to the bottom of the case-scope, and =
 seemingly just missed
 dealing with the non-error early exit when prefixlen of a new address is =
 128.
 
 Index: sys/netinet6/in6.c
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- sys/netinet6/in6.c	(revision 225328)
 +++ sys/netinet6/in6.c	(working copy)
 @@ -589,6 +589,8 @@
  		pr0.ndpr_plen =3D =
 in6_mask2len(&ifra->ifra_prefixmask.sin6_addr,
  		    NULL);
  		if (pr0.ndpr_plen =3D=3D 128) {
 +			if (error =3D=3D 0 && ia)
 +			    EVENTHANDLER_INVOKE(ifaddr_event, ifp);
  			break;	/* we don't need to install a host =
 route. */
  		}
  		pr0.ndpr_prefix =3D ifra->ifra_addr;
 
 --=20
 Kenneth Vestergaard=
 

From: Christian Laursen <xi@borderworlds.dk>
To: bug-followup@FreeBSD.org, xi@borderworlds.dk
Cc:  
Subject: Re: kern/146832: [pf] "(self)" not always matching all local IPv6
 addresses
Date: Tue, 27 Sep 2011 14:21:51 +0200

 The patch Kenneth has submitted does not fix my case, unfortunately.
 
 However, the following patch seems to work for me.
 
 --- nd6_rtr.c.orig	2011-09-24 20:24:25.000000000 +0200
 +++ nd6_rtr.c	2011-09-24 20:20:57.000000000 +0200
 @@ -1303,6 +1303,8 @@
   			 * XXX: what if address duplication happens?
   			 */
   			pfxlist_onlink_check();
 +
 +			EVENTHANDLER_INVOKE(ifaddr_event, ifp);
   		} else {
   			/* just set an error. do not bark here. */
   			error = EADDRNOTAVAIL; /* XXX: might be unused. */
 
 
 -- 
 Christian Laursen
 
Responsible-Changed-From-To: freebsd-pf->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Fri Sep 30 10:28:02 UTC 2011 
Responsible-Changed-Why:  
Try to look at over the weekend. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146832 
Responsible-Changed-From-To: bz->gnn 
Responsible-Changed-By: bz 
Responsible-Changed-When: Sun May 18 05:00:47 UTC 2014 
Responsible-Changed-Why:  
I shall not use bugzilla (at least until we will have a CLI). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146832 
>Unformatted:
