Bug #5408: broken TCP checksums with IPv6 and route-to/reply-to on gif interfaces - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #5408

closed

broken TCP checksums with IPv6 and route-to/reply-to on gif interfaces

Added by Chris Buechler over 8 years ago. Updated over 8 years ago.

Status:

Resolved

Priority:

Very High

Assignee:

Chris Buechler

Category:

Operating System

Target version:

2.3

Start date:

11/10/2015

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.3

Affected Architecture:

Description

TCP checksums on IPv6 traffic matching rules specifying route-to or reply-to end up with broken TCP checksums. Every packet from a given system has the same wrong TCP checksum. Change the IPv6 source IP and the checksum it uses changes, and still stays the same across all packets.

The issue doesn't exist in stock FreeBSD 10-STABLE.

It is at least somewhat hardware-specific. In VMware ESX, vmxnet3 doesn't exhibit the issue, but e1000 does. All physical hardware seems to be affected (RCC-VE, APU, and more).

Example on 172.27.44.174. 'ping6 google.com' works, 'fetch -6 http://google.com' fails. Take out the route-to from the rule:

pass out  route-to ( ... ) inet6 from ... keep state allow-opts label "let out anything from firewall host itself"

and it works.

History
Notes
Property changes

Actions

Copy link

Updated by Chris Buechler over 8 years ago

Some relevant recent changes:
https://svnweb.freebsd.org/base?view=revision&revision=289703
https://svnweb.freebsd.org/base?view=revision&revision=290161

Appears 290161 needs MFCed.

Actions

Copy link

Updated by Renato Botelho over 8 years ago

Kristof mentioned he is going to MFC 290161 today. After that happens I'm going to merge it into our branch and build new snaps

Actions

Copy link

Updated by Renato Botelho over 8 years ago

Status changed from Confirmed to Feedback

FYI, Kristof did the MFC at r290669. I've merged it into our FreeBSD-src repo and kicked off new builds. Could you please try new snapshots as soon as it is available?

Actions

Copy link

Updated by Jim Pingle over 8 years ago

Assignee changed from Luiz Souza to Chris Buechler

Of two affected systems here both have been fixed by the merge. Leaving open for more feedback but it looks OK to me so far.

Actions

Copy link

Updated by Jim Pingle over 8 years ago

Status changed from Feedback to Confirmed
Assignee changed from Chris Buechler to Luiz Souza

There is still a problem here. It works for traffic from the firewall itself but not for traffic flowing through that hits a route-to when it enters the firewall.

For example, TCP connection enters LAN, hits a policy routing rule with route-to, exits a V6 WAN. No state is created when it exits the V6 WAN, so the SYN+ACK is denied re-entry. Remove the policy routing from the LAN rule then repeat the test and the state is created, traffic flows as expected.

Actions

Copy link

Updated by Chris Buechler over 8 years ago

Subject changed from broken TCP checksums with IPv6 and route-to/reply-to to broken TCP checksums with IPv6 and route-to/reply-to on gif interfaces

The original issue is still applicable with gif interfaces, they have the same broken checksum on every TCP packet. It's fixed on every non-gif scenario I've tried.

The issue JimP noted above is separate, opened #5424 for that.

Actions

Copy link

Updated by Chris Buechler over 8 years ago

Status changed from Confirmed to Feedback

this looks to have fixed the remainder of this issue.
https://github.com/pfsense/FreeBSD-src/commit/2e02b14e19fd0fe27055d4a6e11a65e76882bf5f

Renato/Luiz, FYI: I just pulled in some patches on that commit and https://github.com/pfsense/FreeBSD-src/commit/fcb1a35e91beb27cdb14eeeff3aab781c0a9671c that jimt pointed out might be related so we could get snapshots to test with. Probably going to want to revert those when syncing up with FreeBSD.

Actions

Copy link