From owner-freebsd-pf@FreeBSD.ORG  Mon Dec 24 11:06:48 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 26EF6679
 for <freebsd-pf@FreeBSD.org>; Mon, 24 Dec 2012 11:06:48 +0000 (UTC)
 (envelope-from owner-bugmaster@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 0C0338FC13
 for <freebsd-pf@FreeBSD.org>; Mon, 24 Dec 2012 11:06:48 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
 by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id qBOB6lLn066136
 for <freebsd-pf@FreeBSD.org>; Mon, 24 Dec 2012 11:06:47 GMT
 (envelope-from owner-bugmaster@FreeBSD.org)
Received: (from gnats@localhost)
 by freefall.freebsd.org (8.14.5/8.14.5/Submit) id qBOB6leE066134
 for freebsd-pf@FreeBSD.org; Mon, 24 Dec 2012 11:06:47 GMT
 (envelope-from owner-bugmaster@FreeBSD.org)
Date: Mon, 24 Dec 2012 11:06:47 GMT
Message-Id: <201212241106.qBOB6leE066134@freefall.freebsd.org>
X-Authentication-Warning: freefall.freebsd.org: gnats set sender to
 owner-bugmaster@FreeBSD.org using -f
From: FreeBSD bugmaster <bugmaster@FreeBSD.org>
To: freebsd-pf@FreeBSD.org
Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Dec 2012 11:06:48 -0000

Note: to view an individual PR, use:
  http://www.freebsd.org/cgi/query-pr.cgi?pr=(number).

The following is a listing of current problems submitted by FreeBSD users.
These represent problem reports covering all versions including
experimental development code and obsolete releases.


S Tracker      Resp.      Description
--------------------------------------------------------------------------------
o kern/173659  pf         [pf] PF fatal trap on 9.1 (taskq fatal trap on pf_test
o bin/172888   pf         [patch] authpf(8) feature enhancement
o kern/172648  pf         [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet 
o kern/171733  pf         [pf] PF problem with modulate state in [regression]
o kern/169630  pf         [pf] [patch] pf fragment reassembly of padded (undersi
o kern/168952  pf         [pf] direction scrub rules don't work
o kern/168190  pf         [pf] panic when using pf and route-to (maybe: bad frag
o kern/166336  pf         [pf] kern.securelevel 3 +pf reload
o kern/165315  pf         [pf] States never cleared in PF with DEVICE_POLLING
o kern/164402  pf         [pf] pf crashes with a particular set of rules when fi
o kern/164271  pf         [pf] not working pf nat on FreeBSD 9.0 [regression]
o kern/163208  pf         [pf] PF state key linking mismatch
o kern/160370  pf         [pf] Incorrect pfctl check of pf.conf
o kern/155736  pf         [pf] [altq] borrow from parent queue does not work wit
o kern/153307  pf         [pf] Bug with PF firewall
o kern/148290  pf         [pf] "sticky-address" option of Packet Filter (PF) blo
o kern/148260  pf         [pf] [patch] pf rdr incompatible with dummynet
o kern/147789  pf         [pf] Firewall PF no longer drops connections by sendin
o kern/143543  pf         [pf] [panic] PF route-to causes kernel panic
o bin/143504   pf         [patch] outgoing states are not killed by authpf(8)
o conf/142961  pf         [pf] No way to adjust pidfile in pflogd
o conf/142817  pf         [patch] etc/rc.d/pf: silence pfctl
o kern/141905  pf         [pf] [panic] pf kernel panic on 7.2-RELEASE with empty
o kern/140697  pf         [pf] pf behaviour changes - must be documented
o kern/137982  pf         [pf] when pf can hit state limits, random IP failures 
o kern/136781  pf         [pf] Packets appear to drop with pf scrub and if_bridg
o kern/135948  pf         [pf] [gre] pf not natting gre protocol
o kern/134996  pf         [pf] Anchor tables not included when pfctl(8) is run w
o kern/133732  pf         [pf] max-src-conn issue
o conf/130381  pf         [rc.d] [pf] [ip6] ipv6 not fully configured when pf st
o kern/127920  pf         [pf] ipv6 and synproxy don't play well together
o conf/127814  pf         [pf] The flush in pf_reload in /etc/rc.d/pf does not w
o kern/127121  pf         [pf] [patch] pf incorrect log priority
o kern/127042  pf         [pf] [patch] pf recursion panic if interface group is 
o kern/125467  pf         [pf] pf keep state bug while handling sessions between
s kern/124933  pf         [pf] [ip6] pf does not support (drops) IPv6 fragmented
o kern/122773  pf         [pf] pf doesn't log uid or pid when configured to
o kern/122014  pf         [pf] [panic] FreeBSD 6.2 panic in pf
o kern/120281  pf         [pf] [request] lost returning packets to PF for a rdr 
o kern/120057  pf         [pf] [patch] Allow proper settings of ALTQ_HFSC. The c
o bin/118355   pf         [pf] [patch] pfctl(8) help message options order false
o kern/114567  pf         [pf] [lor] pf_ioctl.c + if.c
o kern/103283  pf         pfsync fails to sucessfully transfer some sessions
o kern/93825   pf         [pf] pf reply-to doesn't work
o sparc/93530  pf         [pf] Incorrect checksums when using pf's route-to on s
o kern/92949   pf         [pf] PF + ALTQ problems with latency
o bin/86635    pf         [patch] pfctl(8): allow new page character (^L) in pf.
o kern/82271   pf         [pf] cbq scheduler cause bad latency

48 problems total.


From owner-freebsd-pf@FreeBSD.ORG  Fri Dec 28 12:04:19 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 6E65FEC6
 for <freebsd-pf@freebsd.org>; Fri, 28 Dec 2012 12:04:19 +0000 (UTC)
 (envelope-from trashcan@odo.in-berlin.de)
Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [91.121.60.26])
 by mx1.freebsd.org (Postfix) with ESMTP id 33D1B8FC08
 for <freebsd-pf@freebsd.org>; Fri, 28 Dec 2012 12:04:18 +0000 (UTC)
From: Michael Grimm <trashcan@odo.in-berlin.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out
Message-Id: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
Date: Fri, 28 Dec 2012 12:59:32 +0100
To: freebsd-pf@freebsd.org
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
X-Mailer: Apple Mail (2.1499)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2012 12:04:19 -0000

Hi --

I do run both my primary and secondary nameservers (distinct servers) in =
FreeBSD jails1 and jail2 as outlined below:

(jail1/a:a:a:a::1:1)                         <--WAN-->                   =
       (jail2/b:b:b:b::1:1)
(jail1/10.10.10.1) <--NAT--> (host 1.2.3.4)  <--WAN--> (host 5.6.7.8) =
<--NAT--> (jail2/10.10.10.1)

Here's the relevant part of my pf.conf (server1):

| nat on em0 inet from 10.10.10.1 to any -> 1.2.3.4
| rdr on em0 inet proto tcp from any to 1.2.3.4 port =3D domain -> =
10.10.10.1 port 53
| rdr on em0 inet proto udp from any to 1.2.3.4 port =3D domain -> =
10.10.10.1 port 53
| pass in log on em0 inet proto tcp from any to 10.10.10.1 port =3D =
domain flags S/SA keep state tag ip4domain
| pass in log on em0 inet proto udp from any to 10.10.10.1 port =3D =
domain keep state tag ip4domain
| pass in log on em0 inet6 proto tcp from any to a:a:a:a::1:1 port =3D =
domain flags S/SA keep state tag ip6domain
| pass in log on em0 inet6 proto udp from any to a:a:a:a::1:1 port =3D =
domain keep state tag ip6domain

This is at server2:

| nat on em0 inet from 10.10.10.1 to any -> 5.6.7.8
| rdr on em0 inet proto tcp from any to 5.6.7.8 port =3D domain -> =
10.10.10.1 port 53
| rdr on em0 inet proto udp from any to 5.6.7.8 port =3D domain -> =
10.10.10.1 port 53
| pass in log on em0 inet proto tcp from any to 10.10.10.1 port =3D =
domain flags S/SA keep state tag ip4domain
| pass in log on em0 inet proto udp from any to 10.10.10.1 port =3D =
domain keep state tag ip4domain
| pass in log on em0 inet6 proto tcp from any to b:b:b:b::1:1 port =3D =
domain flags S/SA keep state tag ip6domain
| pass in log on em0 inet6 proto udp from any to b:b:b:b::1:1 port =3D =
domain keep state tag ip6domain

tcp4 and upd4 connections between both namesevers are served as =
expected, as well as upd6.=20

But tcp6 doesn't work:

| jail1>
| nc -6vw 1 b:b:b:b::1:1 53
| nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed out

I do see using tcpdump at server1:

| 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 =
(0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) =
payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S], cksum =
0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss =
1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0

The same happens the other way around. And, that lack of tcp6 =
connectivity stands true for all my other service jails as well. I =
cannot reach any distinct IPv6 service from my jails :-(

JFTR: both nameservers are listening to the given IPv6 addresses, as =
checked by "sockstat -6".

What I did try so far:

- Setting of "flags any" and/or "no state" to tcp6 rules
- Adding private IPv6 addresses to my jails and implement nat66
- Activating rtadvd=20

But without any success, so, what's going wrong here:
- Is it my setup regarding pf?
- Is it my setup in general?
- Is it a screwed IPv6 routing?
- Or something else?

Any help is highly appreciated.

Thanks and with kind regards,
Michael

From owner-freebsd-pf@FreeBSD.ORG  Fri Dec 28 12:06:43 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 3439AF1F
 for <freebsd-pf@freebsd.org>; Fri, 28 Dec 2012 12:06:43 +0000 (UTC)
 (envelope-from trashcan@odo.in-berlin.de)
Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [91.121.60.26])
 by mx1.freebsd.org (Postfix) with ESMTP id EC3848FC08
 for <freebsd-pf@freebsd.org>; Fri, 28 Dec 2012 12:06:42 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Subject: Re: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed
 out
From: Michael Grimm <trashcan@odo.in-berlin.de>
In-Reply-To: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
Date: Fri, 28 Dec 2012 13:06:41 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <15A4AE9D-69D0-484E-A338-473474C0502D@odo.in-berlin.de>
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
To: freebsd-pf@freebsd.org
X-Mailer: Apple Mail (2.1499)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Dec 2012 12:06:43 -0000

Hi --

I forgot to mention: this happens with "FreeBSD 9.1-RELEASE #0 r244594" =
and "FreeBSD 9.1-PRERELEASE #0 r244694".

Regards,
Michael


From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 09:48:43 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id C0442473
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 09:48:43 +0000 (UTC)
 (envelope-from trashcan@odo.in-berlin.de)
Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [91.121.60.26])
 by mx1.freebsd.org (Postfix) with ESMTP id 85F2E8FC08
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 09:48:43 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Subject: Re: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed
 out
From: Michael Grimm <trashcan@odo.in-berlin.de>
In-Reply-To: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
Date: Sat, 29 Dec 2012 10:48:41 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <031FA6BE-B5A9-4197-ABAC-8883D48FA8FC@odo.in-berlin.de>
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
To: freebsd-pf@freebsd.org
X-Mailer: Apple Mail (2.1499)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 09:48:43 -0000

Hi --

On 28.12.2012, at 12:59, Michael Grimm <trashcan@odo.in-berlin.de> =
wrote:

> But without any success, so, what's going wrong here:
> - Is it my setup regarding pf?
> - Is it my setup in general?
> - Is it a screwed IPv6 routing?
> - Or something else?

What I can say now, is:

- It has nothing to do with my setup regarding jails.
- I can reach both servers via tcp6 from remote servers, successfully.
- 9.0 outgoing tcp6 to 9.1 is working.
- Disabling PF at 9.1 allows outgoing tcp6 to 9.1 with enabled PF.

Thus, it seems to me that the pf code in 9.1 is responsible for screwing =
tcp6.

I did test with:

	FreeBSD 9.1-RELEASE #0 r244594
	FreeBSD 9.1-PRERELEASE #0 r244694
	FreeBSD 9.1-PRERELEASE (GENERIC) #0 r244811

I'm interested to know if I'm the only one running into this issue?

Thanks and regards,
Michael


From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 11:56:57 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id E4727618
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 11:56:57 +0000 (UTC)
 (envelope-from Mark.Martinec+freebsd@ijs.si)
Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25])
 by mx1.freebsd.org (Postfix) with ESMTP id 5A0FC8FC0C
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 11:56:57 +0000 (UTC)
Received: from amavis-proxy-ori.ijs.si (localhost [IPv6:::1])
 by mail.ijs.si (Postfix) with ESMTP id 3YYNYg3L2szGN47
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:56:55 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h=
 message-id:content-transfer-encoding:content-type:content-type
 :mime-version:organization:in-reply-to:references:user-agent
 :date:date:subject:subject:from:from:received:received:received
 :vbr-info; s=jakla2; t=1356782213; x=1359374214; bh=haqhC3pMC6xC
 kAIxy6StQ8aIEpi6icm8RIoRfUXxtEo=; b=htMOmjwZu0IcrZQG6cHUyGupxcQ+
 KTN06386EkqyJJehF+nIbmZOyKDV/XeSJfN78osFEaEqwE+1Z57Eo6Fb+7+17QLR
 2x5xthRDt9SmWIotTZ8YT0Jah8+WXcAFmlE7ZB24D70P6Goq4Ut9rXhuLG4p+GT9
 Lvu+/NIXm87+BGc=
VBR-Info: md=ijs.si; mc=all; mv=dwl.spamhaus.org;
X-Virus-Scanned: amavisd-new at ijs.si
Received: from mail.ijs.si ([IPv6:::1])
 by amavis-proxy-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10012)
 with ESMTP id 78j61hGcKocH for <freebsd-pf@freebsd.org>;
 Sat, 29 Dec 2012 12:56:53 +0100 (CET)
Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1])
 by mail.ijs.si (Postfix) with ESMTP
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:56:52 +0100 (CET)
Received: from sleepy.ijs.si (sleepy.ijs.si [IPv6:2001:1470:ff80:e001::1:1])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mildred.ijs.si (Postfix) with ESMTPSA id CD6B560C
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:56:52 +0100 (CET)
From: Mark Martinec <Mark.Martinec+freebsd@ijs.si>
To: freebsd-pf@freebsd.org
Subject: Re: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed
 out
Date: Sat, 29 Dec 2012 12:56:52 +0100
User-Agent: KMail/1.13.7 (FreeBSD/9.1-PRERELEASE; KDE/4.8.4; amd64; ; )
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
 <031FA6BE-B5A9-4197-ABAC-8883D48FA8FC@odo.in-berlin.de>
In-Reply-To: <031FA6BE-B5A9-4197-ABAC-8883D48FA8FC@odo.in-berlin.de>
Organization: J. Stefan Institute
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201212291256.52378.Mark.Martinec+freebsd@ijs.si>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 11:56:58 -0000

On Saturday December 29 2012 10:48:41 Michael Grimm wrote:
> - Disabling PF at 9.1 allows outgoing tcp6 to 9.1 with enabled PF.
> 
> Thus, it seems to me that the pf code in 9.1 is responsible for screwing
> tcp6.

Make sure to have 'scrub reassemble tcp' off:

misc/172648:
pf(4): 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK
http://www.freebsd.org/cgi/query-pr.cgi?pr=172648

  Mark

From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 12:02:53 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id AE2B3961
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:02:53 +0000 (UTC)
 (envelope-from cyberleo@cyberleo.net)
Received: from paka.cyberleo.net (mtumishi.cyberleo.net [216.226.128.201])
 by mx1.freebsd.org (Postfix) with ESMTP id 7E2DD8FC0C
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:02:52 +0000 (UTC)
Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130])
 by paka.cyberleo.net (Postfix) with ESMTPSA id AAC7C11EE79;
 Sat, 29 Dec 2012 06:54:41 -0500 (EST)
Message-ID: <50DEDA01.4060103@cyberleo.net>
Date: Sat, 29 Dec 2012 05:54:41 -0600
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:10.0.11) Gecko/20121201 Thunderbird/10.0.11
MIME-Version: 1.0
To: Michael Grimm <trashcan@odo.in-berlin.de>
Subject: Re: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed
 out
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
In-Reply-To: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
X-Enigmail-Version: 1.3.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 12:02:53 -0000

On 12/28/2012 05:59 AM, Michael Grimm wrote:
> Hi --
> 
> I do run both my primary and secondary nameservers (distinct servers) in FreeBSD jails1 and jail2 as outlined below:
<snip>
> I do see using tcpdump at server1:
> 
> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S],
> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
9.1's PF appears to be either corrupting or not updating the packet
checksum when it touches IPv6 packets. I was not able to figure out how
or why in my brief perusal of the source, but it seems to affect more
than just NAT66.

http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Invalid-Checksum-td5769669.html

-- 
Fuzzy love,
-CyberLeo
Furry Peace! - http://www.fur.com/peace/

From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 12:07:51 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 86044ACB
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:07:51 +0000 (UTC)
 (envelope-from kpaasial@gmail.com)
Received: from mail-wi0-f179.google.com (mail-wi0-f179.google.com
 [209.85.212.179])
 by mx1.freebsd.org (Postfix) with ESMTP id 0CAA28FC08
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 12:07:50 +0000 (UTC)
Received: by mail-wi0-f179.google.com with SMTP id o1so6316616wic.6
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 04:07:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=iSZV3S2uErmHxLTzcaxySyYt9AhGkTAsbTl4LMUi3bo=;
 b=UFO6nGmHvkAzZfGjduQARryRdkqk7kyoADpuqG810Pe1B0hEEPmAPe9iQSofTD8ZZv
 M6RK4szLczmqKrXXgh/Qfm58j94jQzEZwcRBk1AOwEtmh6NyF+vW1aFHCBHe35/w50bC
 c4QupKitUmmrw19S3ixnswVf+yTP64JR5qxbZgellck/ly6gsMHoYZqiEdC206lzGfwx
 YeUDe7rAJWFz6V1FcJO7oSdFyJwSw2Y2g7CcN7upBMYC4VF5mP4y/bZe1qRKthEa2GPN
 00ZN+rzFtjltWtmqEXrlPOpdUqLf3/3qOXFKlnXEkzcO1GZoRtDyO22RA0UFeBBLOHHo
 2+Pg==
MIME-Version: 1.0
Received: by 10.194.23.37 with SMTP id j5mr57487921wjf.28.1356782869743; Sat,
 29 Dec 2012 04:07:49 -0800 (PST)
Received: by 10.216.172.197 with HTTP; Sat, 29 Dec 2012 04:07:49 -0800 (PST)
In-Reply-To: <50DEDA01.4060103@cyberleo.net>
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
 <50DEDA01.4060103@cyberleo.net>
Date: Sat, 29 Dec 2012 14:07:49 +0200
Message-ID: <CA+7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh+cZcNtQ@mail.gmail.com>
Subject: Re: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation timed
 out
From: Kimmo Paasiala <kpaasial@gmail.com>
To: CyberLeo Kitsana <cyberleo@cyberleo.net>
Content-Type: text/plain; charset=UTF-8
Cc: freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 12:07:51 -0000

On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana <cyberleo@cyberleo.net> wrote:
> On 12/28/2012 05:59 AM, Michael Grimm wrote:
>> Hi --
>>
>> I do run both my primary and secondary nameservers (distinct servers) in FreeBSD jails1 and jail2 as outlined below:
> <snip>
>> I do see using tcpdump at server1:
>>
>> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S],
>> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 9.1's PF appears to be either corrupting or not updating the packet
> checksum when it touches IPv6 packets. I was not able to figure out how
> or why in my brief perusal of the source, but it seems to affect more
> than just NAT66.
>
> http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Invalid-Checksum-td5769669.html
>
> --
> Fuzzy love,
> -CyberLeo
> Furry Peace! - http://www.fur.com/peace/

Afaik any kind of NAT on IPv6 is broken with pf(4) at the moment.

-Kimmo

From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 14:31:12 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 53665B65
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 14:31:12 +0000 (UTC)
 (envelope-from trashcan@odo.in-berlin.de)
Received: from mx1.enfer-du-nord.net (mx1.enfer-du-nord.net [91.121.60.26])
 by mx1.freebsd.org (Postfix) with ESMTP id 141728FC14
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 14:31:11 +0000 (UTC)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
Subject: [SOLVED]: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed: Operation
 timed out
From: Michael Grimm <trashcan@odo.in-berlin.de>
In-Reply-To: <CA+7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh+cZcNtQ@mail.gmail.com>
Date: Sat, 29 Dec 2012 15:31:03 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de>
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
 <50DEDA01.4060103@cyberleo.net>
 <CA+7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh+cZcNtQ@mail.gmail.com>
To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-Mailer: Apple Mail (2.1499)
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 14:31:12 -0000

Hi --

On 29.12.2012, at 13:07, Kimmo Paasiala <kpaasial@gmail.com> wrote:
> On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana =
<cyberleo@cyberleo.net> wrote:
>> On 12/28/2012 05:59 AM, Michael Grimm wrote:

>>> I do run both my primary and secondary nameservers (distinct =
servers) in FreeBSD jails1 and jail2 as outlined below:
>> <snip>
>>> I do see using tcpdump at server1:
>>>=20
>>> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 =
(0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) =
payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S],
>>> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, =
options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0
>>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> 9.1's PF appears to be either corrupting or not updating the packet
>> checksum when it touches IPv6 packets. I was not able to figure out =
how
>> or why in my brief perusal of the source, but it seems to affect more
>> than just NAT66.
>>=20
>> =
http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Inva=
lid-Checksum-td5769669.html
>=20
> Afaik any kind of NAT on IPv6 is broken with pf(4) at the moment.
>=20


I've been told to change my outgoing rule from ...

| pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate =
state

... to ...

| pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all

... and that did the trick! No more checksum and timeout errors. Now it =
works as expected.

Just for me to learn: What change in code from 9.0 to 9.1 made that =
first rule break? I used that rule since 7.0, IIRC.

And one last question: I do have "modulate state" for the corresponding =
IPv4 rule as well. Should I modify that as well? Sorry for that dumb =
question, but I don't know pf good enough to judge myself.

Thanks for your help, and with kind regards,
Michael=

From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 17:26:01 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id 06913E36
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 17:26:01 +0000 (UTC)
 (envelope-from cyberleo@cyberleo.net)
Received: from paka.cyberleo.net (mtumishi.cyberleo.net [216.226.128.201])
 by mx1.freebsd.org (Postfix) with ESMTP id C771A8FC08
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 17:26:00 +0000 (UTC)
Received: from [172.16.44.4] (den.cyberleo.net [216.80.73.130])
 by paka.cyberleo.net (Postfix) with ESMTPSA id E99BA3C924;
 Sat, 29 Dec 2012 12:25:58 -0500 (EST)
Message-ID: <50DF27A6.40505@cyberleo.net>
Date: Sat, 29 Dec 2012 11:25:58 -0600
From: CyberLeo Kitsana <cyberleo@cyberleo.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:10.0.11) Gecko/20121201 Thunderbird/10.0.11
MIME-Version: 1.0
To: Michael Grimm <trashcan@odo.in-berlin.de>
Subject: Re: [SOLVED]: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed:
 Operation timed out
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
 <50DEDA01.4060103@cyberleo.net>
 <CA+7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh+cZcNtQ@mail.gmail.com>
 <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de>
In-Reply-To: <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de>
X-Enigmail-Version: 1.3.5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org>
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 17:26:01 -0000

On 12/29/2012 08:31 AM, Michael Grimm wrote:
> Hi --
> 
> On 29.12.2012, at 13:07, Kimmo Paasiala <kpaasial@gmail.com> wrote:
>> On Sat, Dec 29, 2012 at 1:54 PM, CyberLeo Kitsana <cyberleo@cyberleo.net> wrote:
>>> On 12/28/2012 05:59 AM, Michael Grimm wrote:
> 
>>>> I do run both my primary and secondary nameservers (distinct servers) in FreeBSD jails1 and jail2 as outlined below:
>>> <snip>
>>>> I do see using tcpdump at server1:
>>>>
>>>> | 00:00:02.066251 xx:xx:xx:xx:xx > yy:yy:yy:yy:yy, ethertype IPv6 (0x86dd), length 94: (flowlabel 0xa3c71, hlim 63, next-header TCP (6) payload length: 40) b:b:b:b::1.64158 > a:a:a:a:1::1.53: Flags [S],
>>>> cksum 0x959b (incorrect -> 0x58f9), seq 3833155181, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 495939599 ecr 0], length 0
>>>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>> 9.1's PF appears to be either corrupting or not updating the packet
>>> checksum when it touches IPv6 packets. I was not able to figure out how
>>> or why in my brief perusal of the source, but it seems to affect more
>>> than just NAT66.
>>>
>>> http://freebsd.1045724.n5.nabble.com/PF-IPv6-NAT-and-The-Curse-of-The-Invalid-Checksum-td5769669.html
>>
>> Afaik any kind of NAT on IPv6 is broken with pf(4) at the moment.
>>
> 
> 
> I've been told to change my outgoing rule from ...
> 
> | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate state
> 
> ... to ...
> 
> | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all
> 
> ... and that did the trick! No more checksum and timeout errors. Now it works as expected.
> 
> Just for me to learn: What change in code from 9.0 to 9.1 made that first rule break? I used that rule since 7.0, IIRC.
> 
> And one last question: I do have "modulate state" for the corresponding IPv4 rule as well. Should I modify that as well? Sorry for that dumb question, but I don't know pf good enough to judge myself.

'modulate state' is a form of packet rewriting like NAT, though it
rewrites sequence numbers and stuff instead of addresses and ports; it
makes sense that this would be affected by whatever is breaking IPv6
checksum rewriting.

It'll work fine for IPv4, though it may not provide any benefit if all
the traffic is generated or consumed by the same TCP/IP stack (same
machine and no VIMAGE).

-- 
Fuzzy love,
-CyberLeo
Furry Peace! - http://www.fur.com/peace/

From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 29 21:03:25 2012
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id E6F016E6
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 21:03:24 +0000 (UTC)
 (envelope-from dokas@dokas.name)
Received: from mail.dokas.name (mail.dokas.name [199.199.210.193])
 by mx1.freebsd.org (Postfix) with ESMTP id AEDE68FC16
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 21:03:24 +0000 (UTC)
Received: from dagon.dokas.name (c-24-131-182-9.hsd1.mn.comcast.net
 [24.131.182.9])
 by mail.dokas.name (Postfix) with ESMTPSA id A3A2B1F0BE
 for <freebsd-pf@freebsd.org>; Sat, 29 Dec 2012 14:57:16 -0600 (CST)
Message-ID: <50DF592B.1030600@dokas.name>
Date: Sat, 29 Dec 2012 14:57:15 -0600
From: Paul Dokas <dokas@dokas.name>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
Subject: Re: [SOLVED]: nc: connect to b:b:b:b::1:1 port 53 (tcp) failed:
 Operation timed out
References: <14C709A3-B608-44C3-B12F-5F6790AA60DC@odo.in-berlin.de>
 <50DEDA01.4060103@cyberleo.net>
 <CA+7WWSdLu-P0-65eGWr9aiL-Rdv0_GCBUODsq5Xw5wh+cZcNtQ@mail.gmail.com>
 <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de>
In-Reply-To: <5FA24BDE-D6EE-4C3F-B0DE-BC5CBE9EA7A8@odo.in-berlin.de>
X-Enigmail-Version: 1.4.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: paul@dokas.name
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Dec 2012 21:03:25 -0000

On 12/29/12 08:31, Michael Grimm wrote:
> I've been told to change my outgoing rule from ...
> 
> | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all modulate state
> 
> ... to ...
> 
> | pass out log on $extIF inet6 proto {tcp, udp, icmp6, gre} all
> 
> ... and that did the trick! No more checksum and timeout errors. Now it works as expected.
> 
> Just for me to learn: What change in code from 9.0 to 9.1 made that first rule break? I used that rule since 7.0, IIRC.


I'll add another data point as this affected me also.

I have a host that I recently upgraded from 9.0 -> 9.1.  Under 9.0, I
could ssh to it without any issues using both ipv4 and ipv6.  However
after upgrading to 9.1, I could no longer access this host via ipv6.  In
/etc/pf.conf under 9.0, the packets were allowed via this line:

  pass in proto tcp from <AUTHORIZED> to <SELF> port 22 modulate state

Now, under 9.1, I had to replace this line with the following to restore
ipv4 and ipv6 connectivity:

  pass in inet proto tcp from <AUTHORIZED> to <SELF> port 22 modulate state
  pass in inet6 proto tcp from <AUTHORIZED> to <SELF> port 22

Thank you for the fix.  I'm also curious about what changed in PF
between 9.0 and 9.1.  Looking over the commits, I see many changes,
several of which affect ipv6, but nothing that would obviously account
for this change in behavior.  I am also no expert on the PF code, so I
could easily be missing something obvious.


The broken behavior that I am seeing goes like this:

  Host A:  FreeBSD 9.1 with ipv4 and ipv6 connectivity
  Host B:  Linux with ipv4 and ipv6 connectivity

  14:42:54.449782 IP6 HostB.23277 > HostA.22: Flags [S], seq 4121331899,
win 65535, options [mss 1440,nop,wscale 9,sackOK,TS val 3181373 ecr 0],
length 0
  14:42:54.449971 IP6 HostA.22 > HostB.23277: Flags [S.], seq
1127207337, ack 4121331900, win 65535, options [mss 1440,nop,wscale
9,sackOK,TS val 3217245253 ecr 3181373], length 0


This is from tcpdump output on host B.  The SYN/ACK packet does make it
to host B, but seems to be silently ignored.

For comparison, here's the same few packets with the fix in place on Host A:

  14:51:58.716186 IP6 HostB.33915 > HostA.22: Flags [S], seq 3905485643,
win 65535, options [mss 1440,nop,wscale 9,sackOK,TS val 3725643 ecr 0],
length 0
  14:51:58.716356 IP6 HostA.22 > HostB.33915: Flags [S.], seq
2791731777, ack 3905485644, win 65535, options [mss 1440,nop,wscale
9,sackOK,TS val 3462082146 ecr 3725643], length 0
  14:51:58.716411 IP6 HostB.33915 > HostA.22: Flags [.], ack 1, win
2049, options [nop,nop,TS val 3725643 ecr 3462082146], length 0

In this case, the 3 way handshake completes.

Paul
-- 
Paul Dokas                                         dokas at dokas.name
======================================================================
Don Juan Matus:  "an enigma wrapped in mystery wrapped in a tortilla."