Le lundi 10 mai 2021 à 22:51 +1000, David Gwynne a écrit : > > > > On 10 May 2021, at 8:05 pm, Bastien Durel <bast...@geekwu.org> > > wrote: > > > > Le samedi 08 mai 2021 à 12:07 +0200, Bastien Durel a écrit : > > > Le 08/05/2021 à 11:56, Stuart Henderson a écrit : > > > > > > Does it work if you use the syntax suggested in the upgrade > > > > > > notes > > > > > > for the example with "pass in on pppoe1 reply-to ..."? > > > > > > > > > > > > > > > > > For incoming connections, I tried > > > > > > > > > > pass in on pppoe0 inet6 reply-to > > > > > fe80::520f:80ff:fe65:8800%pppoe0 > > > > > keep state > > > > > pass in on pppoe0 inet6 reply-to fe80::520f:80ff:fe65:8800 > > > > > keep > > > > > state > > > > Hello, > > > > Thanks to folks of #openbsd, I found out adding an explicit route > > to > > fe80::520f:80ff:fe65:8800 on pppoe0 make this work. > > Referencing fe80::520f:80ff:fe65:8800%pppoe0 in pf.conf results in > > a > > rule referencing fe80::520f:80ff:fe65:8800 > > > > pf.conf: > > pass in on pppoe0 inet6 reply-to fe80::520f:80ff:fe65:8800%pppoe0 > > pfctl -s rules: > > pass in on pppoe0 inet6 all flags S/SA reply-to > > fe80::520f:80ff:fe65:8800 > > > > hostname.pppoe0: > > !/sbin/route add -inet6 fe80::520f:80ff:fe65:8800 -ifp pppoe0 > > fe80::%pppoe0 > > > > This make pf able to route to the correct interface. > > You're right, pf isn't very good at handling link-local v6 addresses. > This is annoying now that route-to uses addresses as it's argument if > you want to move ipv6 packets toward a host with a link local > address. > > In this situation the least worst way to cope with the problem for > now is to use route-to (pppoe0:0). This should work because route-to > doesn't do any local address checks on the destination address it > resolves. Once it looks up the local address as the direction to send > the packet, it should put it straight out pppoe0. ppp as a tunnel > interface has no address resolution protocol, it just encapsulates > the packet it is given and sends it on its way. > > route-to also takes a destination address as an argument, not a > gateway address. If dhcp6c sets up a route to some global address > that you know about (I'm not sure this is a thing but it might be), > you can use that global address as the argument to route-to and it > will send it in the right direction. >
Hello. Thanks for the hint, but (pppoe0:0) does not work : pf.conf:266: route spec requires :peer with dynamic interface addresses (pppoe0:peer) make pf happy, but does not route anything (ifconfig does not show any peer on inet6) dhcp6c does not sets any route by its own, it only returns some DNS resolver addresses, and registers the prefixes the ISP delegates. Regards, -- Bastien
