Hi David, First of all thank you so much taking the time for my question!
> My first impression is that you're confusing where to apply policy to > the encapsulated traffic. "pass on gre proto gre" implies you're > trying to pass GRE packets as they go over gre(4) interfaces, but > it's the unencapsulated packets that go over gre(4), and the GRE > encapsulated packets will go over your "underlay" or physical > interfaces, which looks like em0 according to tcpdump. Yes, it might be that I’m a little bit confused right now, after all the “Experiments” I already did to make this work. > Your pass rule should let everything work though. Those two rules are > your entire ruleset? Yes, those two rules are all I have (I reduced my whole rule set to this to sort out things) In the meantime I changed it to the following as per your and Georgs suggestion. In file: pass log (all, to pflog0) # pass the GRE encapsulated traffic pass inet6 proto gre # let ping6 over gre(4) work pass on gre inet6 proto icmp6 #pass on gre proto gre no state doas pfctl -s rules pass log (all) all flags S/SA pass inet6 proto gre all pass on gre inet6 proto ipv6-icmp all With these rules I get, so at least I can see the reply on em0: doas tcpdump -nvei em0 ip6 or icmp6 or proto gre tcpdump: listening on em0, link-type EN10MB 07:54:28.107820 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:597c seq:0) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) 07:54:28.156366 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd 2a01:qqq:rrrr:ss::1 > 2a01:qqq:rrrr:ss::2: icmp6: echo reply (id:597c seq:0) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] (len 116, hlim 243) 07:54:29.109744 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:597c seq:1) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) 07:54:29.166480 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd 2a01:qqq:rrrr:ss::1 > 2a01:qqq:rrrr:ss::2: icmp6: echo reply (id:597c seq:1) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] (len 116, hlim 243) 07:54:30.110067 00:0d:b9:44:ec:dc 34:81:c4:e0:4b:79 86dd 162: 2a02:xxxx:yyy:zzz::1 > 2a00:uuuu:vvvv:wwww::10: gre [] 86dd 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:597c seq:2) (len 64, hlim 64) [flowlabel 0x71e6] (len 108, hlim 64) 07:54:30.156013 34:81:c4:e0:4b:79 00:0d:b9:44:ec:dc 86dd 170: 2a00:uuuu:vvvv:wwww::10 > 2a02:xxxx:yyy:zzz::1: DSTOPT (type 0x04: len=1) gre [] 86dd 2a01:qqq:rrrr:ss::1 > 2a01:qqq:rrrr:ss::2: icmp6: echo reply (id:597c seq:2) [flowlabel 0xa8f7b] (len 64, hlim 64) [flowlabel 0xa8f7b] (len 116, hlim 243) Unfortunately it never reaches gre0: doas tcpdump -nvei gre1051 ip6 or icmp6 or proto gre tcpdump: listening on gre1051, link-type LOOP 07:54:28.107741 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:597c seq:0) [icmp6 cksum ok] (len 64, hlim 64) 07:54:29.109675 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:597c seq:1) [icmp6 cksum ok] (len 64, hlim 64) 07:54:30.110004 2a01:qqq:rrrr:ss::2 > 2a01:qqq:rrrr:ss::1: icmp6: echo request (id:597c seq:2) [icmp6 cksum ok] (len 64, hlim 64) > The bare "pass" rule not letting this work makes me feel like there's > more to this though. Yes, I also think that there must be more to it, but I just don’t see the trees for the forrest here. Thanks Markus
signature.asc
Description: Message signed with OpenPGP
