From owner-freebsd-net@FreeBSD.ORG Tue Aug 21 12:11:19 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D85F16A419 for ; Tue, 21 Aug 2007 12:11:19 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [IPv6:2001:6f8:1098::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2297A13C457 for ; Tue, 21 Aug 2007 12:11:18 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id l7LCBI6X028838 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 21 Aug 2007 14:11:18 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id l7LCBIED012498; Tue, 21 Aug 2007 14:11:18 +0200 (MEST) Date: Tue, 21 Aug 2007 14:11:18 +0200 From: Daniel Hartmeier To: Jacek Zapala Message-ID: <20070821121118.GF27160@insomnia.benzedrine.cx> References: <200708211010.l7LAA6V7082258@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200708211010.l7LAA6V7082258@freefall.freebsd.org> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-net@freebsd.org Subject: Re: kern/115413: [ipv6] ipv6 pmtu not working X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2007 12:11:19 -0000 When filtering statefully, there is no need for a specific rule allowing ICMPv6 errors like ICMP6_PACKET_TOO_BIG. These ICMPv6 messages contain, as payload, the header of the original packet that triggered the error. pf extracts that inner header and searches for a matching state entry. If a matching state is found, the ICMPv6 error is passed without ruleset evaluation. In your case, a matching state entry (for the corresponding TCP connection) is found, but TCP sequence number checks fail: > pf: BAD ICMP 2:0 some_router -> src_addr > state: TCP src_addr[50400] src_addr[50400] dst_addr[22] > [lo=2463013638 high=2463020758 win=32844 modulator=0 wscale=1] > [lo=2412460872 high=2412526560 win=1278 modulator=0 wscale=3] > 4:4 seq=2463010534 The TCP connection is from src_addr[50400] to dst_addr[22], an outgoing connection (on some interface) for pf. I assume the ICMPv6 error is coming in on the same interface. Since some_router is sending the ICMPv6 error to src, we'd expect that the TCP packet that triggered the error on some_router was sent from src to dst. The first section in square brackets represents src's TCP window, the second one dst's. For packets src sends to dst, dst's window is relevant. For example, a TCP packet from src to dst might have th_seq 2412460873 legitimately, as that is within the window dst accepts (2412460872 to 2412526560). But th_seq of the TCP packet quoted by the ICMPv6 error is 2463010534, which is outside dst's window. Strangely, it is within src's window. I don't understand why some_router would do this. It looks like it's either quoting the wrong TCP header or sending the error to the wrong side, neither of which sounds like an easy mistake to make. Is some_router a FreeBSD 6.2 box, too? It might help if you could capture a tcpdump -s 1600 -nvvvS of one such TCP connection, including the ICMPv6 error. Daniel