https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162015-11-10T18:21:20ZpfSense bugtrackerpfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=221862015-11-10T18:21:20ZChris Buechlercbuechler@gmail.com
<ul></ul><p>Some relevant recent changes: <br /><a class="external" href="https://svnweb.freebsd.org/base?view=revision&revision=289703">https://svnweb.freebsd.org/base?view=revision&revision=289703</a><br /><a class="external" href="https://svnweb.freebsd.org/base?view=revision&revision=290161">https://svnweb.freebsd.org/base?view=revision&revision=290161</a></p>
<p>Appears 290161 needs MFCed.</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=222322015-11-11T04:20:30ZRenato Botelhorenato@netgate.com
<ul></ul><p>Kristof mentioned he is going to MFC 290161 today. After that happens I'm going to merge it into our branch and build new snaps</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=222462015-11-11T07:04:04ZRenato Botelhorenato@netgate.com
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li></ul><p>FYI, Kristof did the MFC at r290669. I've merged it into our FreeBSD-src repo and kicked off new builds. Could you please try new snapshots as soon as it is available?</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=222602015-11-11T08:24:10ZJim Pingle
<ul><li><strong>Assignee</strong> changed from <i>Luiz Souza</i> to <i>Chris Buechler</i></li></ul><p>Of two affected systems here both have been fixed by the merge. Leaving open for more feedback but it looks OK to me so far.</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=222932015-11-11T15:08:18ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Confirmed</i></li><li><strong>Assignee</strong> changed from <i>Chris Buechler</i> to <i>Luiz Souza</i></li></ul><p>There is still a problem here. It works for traffic from the firewall itself but not for traffic flowing through that hits a route-to when it enters the firewall.</p>
<p>For example, TCP connection enters LAN, hits a policy routing rule with route-to, exits a V6 WAN. No state is created when it exits the V6 WAN, so the SYN+ACK is denied re-entry. Remove the policy routing from the LAN rule then repeat the test and the state is created, traffic flows as expected.</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=223112015-11-11T22:54:21ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Subject</strong> changed from <i>broken TCP checksums with IPv6 and route-to/reply-to</i> to <i>broken TCP checksums with IPv6 and route-to/reply-to on gif interfaces</i></li></ul><p>The original issue is still applicable with gif interfaces, they have the same broken checksum on every TCP packet. It's fixed on every non-gif scenario I've tried.</p>
<p>The issue JimP noted above is separate, opened <a class="issue tracker-1 status-3 priority-5 priority-high4 closed" title="Bug: outbound state not created for TCP IPv6 traffic matching route-to rule (Resolved)" href="https://redmine.pfsense.org/issues/5424">#5424</a> for that.</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=223162015-11-12T01:58:27ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li></ul><p>this looks to have fixed the remainder of this issue. <br /><a class="external" href="https://github.com/pfsense/FreeBSD-src/commit/2e02b14e19fd0fe27055d4a6e11a65e76882bf5f">https://github.com/pfsense/FreeBSD-src/commit/2e02b14e19fd0fe27055d4a6e11a65e76882bf5f</a></p>
<p>Renato/Luiz, FYI: I just pulled in some patches on that commit and <a class="external" href="https://github.com/pfsense/FreeBSD-src/commit/fcb1a35e91beb27cdb14eeeff3aab781c0a9671c">https://github.com/pfsense/FreeBSD-src/commit/fcb1a35e91beb27cdb14eeeff3aab781c0a9671c</a> that jimt pointed out might be related so we could get snapshots to test with. Probably going to want to revert those when syncing up with FreeBSD.</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=223412015-11-12T11:21:28ZJim Thompsonjim@netgate.com
<ul><li><strong>Assignee</strong> changed from <i>Luiz Souza</i> to <i>Chris Buechler</i></li></ul><p>fixed here.</p>
<p>reassigning to cmb</p> pfSense - Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaceshttps://redmine.pfsense.org/issues/5408?journal_id=226642015-11-18T17:18:29ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>fixed</p>