From nobody Thu Sep 14 10:28:11 2023 X-Original-To: freebsd-net@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RmYSG160jz4sTjh for ; Thu, 14 Sep 2023 10:28:14 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RmYSG0fFyz4qGs; Thu, 14 Sep 2023 10:28:14 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694687294; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=07bQMVfQ8biHqWq3jUFFWdnlkrZsSD6R0zzTCHLg0Rk=; b=rrofY0rBGIYzz4VpIcyDbeNDsgm07iVmiZ3PpjxPyVhCgV+ZSvyzpvGO6A+UigKVlSByJS VjoE826UXmCbKZ7eKve4huY3wXg/4HkxhDrJhhyfvWJuGDsT8A+omL6U5n+ZCimvGI0S5b 6SYIxq2i1JCv4fzeAntXbmpPCDCLDSuEvSSwej2y6u/9pZxBS0BigezSkILtwCh2mKxMui 4ND8QRX/hMA7aZXU99mG4KQrgDxnQyRv7mBtoY53bB3L9W3cFNCEVrrGagukXw9QJ82SRa xeliX54nXyQzAqxbi5ZmXWXF9ynN2bNIG9tiosCHZDB+n0LIiGZr5RWeQRav0A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1694687294; a=rsa-sha256; cv=none; b=H+lS7gK1tr6o5MdE0SMDRa9y5n0my+J88espJxqAQlq4nqeOcvR4pRPaNFQEjhnyq6r0Hw uQJLzwATgZRUlVKGmoVIW6mzrDF/CuTKq2SHm5Wcub4FAxpcMEBKH0vlUw7f2mEB13NVNP +Q0M8YJBYy+lYJ6GUjxRLf68VzkYj0uNRS9qOQIrnQUiZW96Ga2TcecP9IsiaaZwxbeKVz S8DcyPAHkbgvgQ3bstJPfc7RNNvSxFvlsYPHhEXyysQA0DqnhIvt/raZX60HTddgg+V2NB Urr//25gGSv/75sNVqPtkjsks+M66wQKHcL7732wsSmEPGdTSo5B1k33JgaWdg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1694687294; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=07bQMVfQ8biHqWq3jUFFWdnlkrZsSD6R0zzTCHLg0Rk=; b=yI/50E1q63BFhAx4aZDPIXHmDVNNAgVwL6vEbsqMfxGHtVoEJMe2fTjimHFC86RYZ5EJel HyTpMoK8QQplbAb6x7IUnY+03Aka2pE5FD8Wko3JCfnilcztTsS/Ox6CZKqVXEX7y6y2Xi C/xLNmyHOsQjUnB1+yGtJa1/g+eFJbJc1FrPCqcatxYfexPTpHHfakCGZ08knzQVsufvYC nRq90SaXlABYuGmIq2GGzp0kqBxhC/xPYkf73jVAyrr7Z0HG0vmmEuFjs02WC3fgKg9sLT 0wNMj6VfY5IZVYX0WpbdRRdXHOSrBVje1cNiLS9r12CtQkui5Dv+mos9trpJ2w== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R3" (verified OK)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4RmYSF67HWz1MHh; Thu, 14 Sep 2023 10:28:13 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 65F5A7A52; Thu, 14 Sep 2023 12:28:12 +0200 (CEST) From: Kristof Provost To: d@delphij.net Cc: freeBSD-net@FreeBSD.org Subject: Re: Regression with pf or IPv6 on FreeBSD 14 with IPsec gif(4) tunnel Date: Thu, 14 Sep 2023 11:28:11 +0100 X-Mailer: MailMate (1.14r5937) Message-ID: <0DA172FD-8E4E-4DA5-A55E-8470A8EEF878@FreeBSD.org> In-Reply-To: <8a063059-d3be-1dd5-d89d-d0054ee269cd@delphij.net> References: <8a063059-d3be-1dd5-d89d-d0054ee269cd@delphij.net> List-Id: Networking and TCP/IP with FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-net List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 14 Sep 2023, at 4:54, Xin Li wrote: > Hi! > > I recently upgraded my home router and found that there is some regress= ion related to pf or IPv6. > > When attempting to connect an IPv6 TCP service, process would enter a s= eemingly unkillable state (the stack varies but always begins with write,= so it seems that tailscale was trying to send some packet to the server)= , until racoon is killed and restarted (at which point the connection wou= ld be dropped). > > tcpdump over the gif(4) channel captured a lot of seemingly duplicated = packets like this: > > 03:40:50.088262 IP6 LOCAL.16275 > REMOTE.443: Flags [.], seq 1619:2947,= ack 4225, win 129, options [nop,nop,TS val 2817088580 ecr 3077807235], l= ength 1328 > 03:40:50.088332 IP6 LOCAL.16275 > REMOTE.443: Flags [.], seq 1619:2947,= ack 4225, win 129, options [nop,nop,TS val 2817088581 ecr 3077807235], l= ength 1328 > [identical except timestamp] > 03:40:50.089107 IP6 LOCAL.16275 > REMOTE.443: Flags [.], seq 1619:2947,= ack 4225, win 129, options [nop,nop,TS val 2817088581 ecr 3077807235], l= ength 1328 > > Am I the only person who is seeing this? (Admittedly my setup is somew= hat unique; my home ISP doesn't provide IPv6 service, so I have a gif(4) = tunnel to my datacenter, which connects to Hurricane Electric's IPv6 tunn= el service and basically routes my IPv6 traffic to that tunnel. Earlier = I discovered that some IPv6 connectivity issues were related to MTU being= too big (1480; reduced to 1400 now) but the unkillable IPv6 applications= was new and only happened on 14.x) > That doesn=E2=80=99t immediately ring any bells, no. Are you using route-to anywhere? There=E2=80=99s been a change (829a69db8= 55b48ff7e8242b95e193a0783c489d9) that has some potential to affect uncomm= on setups, but right now I=E2=80=99m just guessing. I=E2=80=99d recommend tcpdump-ing the wan link at the same time as the gi= f tunnel so you can work out if the packets are being dropped locally or = remotely. Or you can try adding =E2=80=98log=E2=80=99 statements to the p= f rules and using pflog to figure out if/why packets are being dropped. Best regards, Kristof