Bug #5408
closed
broken TCP checksums with IPv6 and route-to/reply-to on gif interfaces
Added by Chris Buechler about 9 years ago.
Updated about 9 years ago.
Category:
Operating System
Description
TCP checksums on IPv6 traffic matching rules specifying route-to or reply-to end up with broken TCP checksums. Every packet from a given system has the same wrong TCP checksum. Change the IPv6 source IP and the checksum it uses changes, and still stays the same across all packets.
The issue doesn't exist in stock FreeBSD 10-STABLE.
It is at least somewhat hardware-specific. In VMware ESX, vmxnet3 doesn't exhibit the issue, but e1000 does. All physical hardware seems to be affected (RCC-VE, APU, and more).
Example on 172.27.44.174. 'ping6 google.com' works, 'fetch -6 http://google.com' fails. Take out the route-to from the rule:
pass out route-to ( ... ) inet6 from ... keep state allow-opts label "let out anything from firewall host itself"
and it works.
Kristof mentioned he is going to MFC 290161 today. After that happens I'm going to merge it into our branch and build new snaps
- Status changed from Confirmed to Feedback
FYI, Kristof did the MFC at r290669. I've merged it into our FreeBSD-src repo and kicked off new builds. Could you please try new snapshots as soon as it is available?
- Assignee changed from Luiz Souza to Chris Buechler
Of two affected systems here both have been fixed by the merge. Leaving open for more feedback but it looks OK to me so far.
- Status changed from Feedback to Confirmed
- Assignee changed from Chris Buechler to Luiz Souza
There is still a problem here. It works for traffic from the firewall itself but not for traffic flowing through that hits a route-to when it enters the firewall.
For example, TCP connection enters LAN, hits a policy routing rule with route-to, exits a V6 WAN. No state is created when it exits the V6 WAN, so the SYN+ACK is denied re-entry. Remove the policy routing from the LAN rule then repeat the test and the state is created, traffic flows as expected.
- Subject changed from broken TCP checksums with IPv6 and route-to/reply-to to broken TCP checksums with IPv6 and route-to/reply-to on gif interfaces
The original issue is still applicable with gif interfaces, they have the same broken checksum on every TCP packet. It's fixed on every non-gif scenario I've tried.
The issue JimP noted above is separate, opened #5424 for that.
- Status changed from Confirmed to Feedback
- Assignee changed from Luiz Souza to Chris Buechler
fixed here.
reassigning to cmb
- Status changed from Feedback to Resolved
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by