Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 09 Feb 2016 11:32:04 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-amd64@FreeBSD.org
Subject:   [Bug 207055] ipv6 pmtu discovery not working with pf active
Message-ID:  <bug-207055-6@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207055

            Bug ID: 207055
           Summary: ipv6 pmtu discovery not working with pf active
           Product: Base System
           Version: 10.2-STABLE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: hm@hellmuth-michaelis.de
                CC: freebsd-amd64@FreeBSD.org
                CC: freebsd-amd64@FreeBSD.org

IPv6 path mtu discovery is not working when pf is enabled and active.

OS Version is 10.3 BETA1

A very similar bug was reported in 115413, and i see that the there mention=
ed
patch is applied, but v6 pmtu is still not working.

There was already a mail sent to freebsd-net some time ago with a detailed
description of what is happening and things i tried, it can be found at
https://lists.freebsd.org/pipermail/freebsd-net/2014-May/038590.html

The problem is, that the machine in question sends out an (obviously) too l=
arge
packet. The router (which is also a FreeBSD machine being the gateway to si=
xxs)
detects this and sends an ICMP Packet too big back.

In case pf is disabled, all is fine and you can see the updated mtu in
net.inet.tcp.hostcache.list.

As soon as you enable pf, this does not take place anymore and the router s=
ends
the ICMP too big messages 4 or 5 times and the connection hangs and no upda=
te
to net.inet.tcp.hostcache.list is taking place.

At the first time i saw this, it was a 2014 FreeBSD 10, now i upgraded the
machine to 10.3 BETA1 and the effect is still the same.

I made a patch to /usr/src/sys/netpfil/pf/pf.c with a shortcircuit and some
printfs and then pmtu functions again with pf enabled (you see it in
net.inet.tcp.hostcache.list) - i think this is not a fix but at least a
workaround:

*** pf.c-DIST   Thu Jan 14 12:06:14 2016
--- pf.c        Mon Feb  8 16:23:41 2016
***************
*** 4759,4766 ****
                                        pf_print_state(*state);
                                        printf(" seq=3D%u\n", seq);
                                }
!                               REASON_SET(reason, PFRES_BADSTATE);
!                               return (PF_DROP);
                        } else {
                                if (V_pf_status.debug >=3D PF_DEBUG_MISC) {
                                        printf("pf: OK ICMP %d:%d ",
--- 4759,4780 ----
                                        pf_print_state(*state);
                                        printf(" seq=3D%u\n", seq);
                                }
!                               if(icmptype !=3D ICMP6_PACKET_TOO_BIG)
!                               {
!                                       REASON_SET(reason, PFRES_BADSTATE);
!                                       return (PF_DROP);
!                               }
!                               else
!                               {
!                                       printf("pf: suspicious ICMP %d:%d ",
!                                           icmptype, pd->hdr.icmp->icmp_co=
de);
!                                       pf_print_host(pd->src, 0, pd->af);
!                                       printf(" -> ");
!                                       pf_print_host(pd->dst, 0, pd->af);
!                                       printf(" state: ");
!                                       pf_print_state(*state);
!                                       printf(" seq=3D%u\n", seq);
!                               }
                        } else {
                                if (V_pf_status.debug >=3D PF_DEBUG_MISC) {
                                        printf("pf: OK ICMP %d:%d ",

--=20
You are receiving this mail because:
You are on the CC list for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207055-6>