9.1 and outgoing tcp6: Operation timed out

Hi --

I came across an issue with outgoing tcp6 connections after upgrading to 9.1-RELEASE.

Whenever I try to connect to a distant IPv6 service using tcp6 I do run into timeouts, e.g.:
Code:
9.1> nc -6vw 1 a:b:c:d::1 53
nc: connect to a:b:c:d::1 port 53 (tcp) failed: Operation timed out

If I disable pf, I'll succeed:

Code:
9.1> pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled

9.1> nc -6vw 1 a:b:c:d::1 53
Connection to a:b:c:d::1 53 port [tcp/domain] succeeded!

The relevant part of tcpdump snippet at the outgoing server looks like:
Code:
9.1> tcpdump  -n -e -ttt -s 256 -vvv -p -i em0

ethertype IPv6 (0x86dd), length 94: (flowlabel 0xd704f, hlim 64, next-header TCP (6) payload length: 40) w:x:y:z::1.60238 > a:b:c:d::1.53: Flags [S], cksum 0x9471 (incorrect -> 0x7830), seq 406663917, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 35873618 ecr 0], length 0

My pf rule regarding outgoing tcp6 is simply:
Code:
pass out log on em0 inet6 proto tcp all flags S/SA modulate state

I did try "flags any" and/or "no state", but to no avail.

I did test with and seeing thea issue regarding tcp6:

RELEASE #0 r244594
PRERELEASE #0 r244694
PRERELEASE (GENERIC) #0 r244811

There is no issue with 9.0-RELEASE-p5 (r244773) and the very same pf configuration. It just happened after upgrading to 9.1-RELEASE.

Is anyone else experiencing the same issue?


P.S. upd6 works as expected.
 
Just a snippet from an IPv6 rule I use:

Code:
###outbound IPv6 tcp, udp  traffic, no randomize needed.
pass out log on $ext_if inet6 proto { tcp, udp} from any to any

The system is FreeBSD 9.1-RELEASE #1 r243750

Edit. I just so that you are using: flags S/SA modulate state

Don't do that in IPv6. You don't either need the keep state statement because it is implied.
 
gkontos said:
Edit. I just so that you are using: flags S/SA modulate state

Don't do that in IPv6. You don't either need the keep state statement because it is implied.

Thanks. I had had modulate state set in my pass out rule. I've changed that to:
Code:
pass out log on $extIF inet6 proto {tcp, udp} all

Now, its working as expected.

But, just out of curiosity: What did change between 9.0 and 9.1, that made the very same pass out rule break?

Thanks very much for your help!
 
uisge said:
But, just out of curiosity: What did change between 9.0 and 9.1, that made the very same pass out rule break?

modulate state randomizes the initial sequence number. I think that this is something that might actually "confuse" the state table when it comes to IPv6.

The same thing applies to synproxy state which also does not work with IPv6.
 
Back
Top