From nobody@FreeBSD.org  Fri Oct 12 19:08:59 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 9BAB1677
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 12 Oct 2012 19:08:59 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 6BB248FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 12 Oct 2012 19:08:59 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q9CJ8xfk065045
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 12 Oct 2012 19:08:59 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q9CJ8wUF065044;
	Fri, 12 Oct 2012 19:08:58 GMT
	(envelope-from nobody)
Message-Id: <201210121908.q9CJ8wUF065044@red.freebsd.org>
Date: Fri, 12 Oct 2012 19:08:58 GMT
From: Mark Martinec <Mark.Martinec@ijs.si>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pf(4): 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         172648
>Category:       kern
>Synopsis:       [pf] [ip6]: 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 12 19:10:00 UTC 2012
>Closed-Date:    
>Last-Modified:  Sat Oct 13 22:23:52 UTC 2012
>Originator:     Mark Martinec
>Release:        9.1-PRERELEASE (i.e. 9.1-RC2)
>Organization:
Jozef Stefan Institute, Ljubljana
>Environment:
FreeBSD neli.ijs.si 9.1-PRERELEASE FreeBSD 9.1-PRERELEASE #0: Fri Oct 12 18:10:04 CEST 2012     mark@neli.ijs.si:/usr/obj/usr/src/sys/NELI  amd64
>Description:
When pf (packet filter) is enabled and configured with 'scrub reassemble tcp',
IPv6 TCP connections take 9 seconds to establish. Packet capture shows
checksum errors on SYN ACK packets but not on other packets.

A TCP connection establishment (SYN) on IPv6 is (re-)tried four times,
with a 3 second delay between each attempt, while the TCP options are
being simplified each time by the kernel (dropping ECN, CWR, window
scaling, and dropping a timestamp options). Only the fourth attempt
is successful, with no other options but SACK, and this TCP session
then proceeds normally.

Disabling 'scrub reassemble tcp' in the pf avoids the problem.
Similarly, turning off net.inet.tcp.rfc1323 on either end
also avoids the problem, even with 'reassemble tcp' enabled.

The problem does not occur on IPv4 sessions, only on IPv6.

The problem is not associated with interface checksum offloading,
it is repeatable on gif, em, and re interfaces. Also a packet capture
(wireshark) shows packet checksum errors on SYN ACK packets (but
not on the SYN packet) in the first couple of failed attempts, and
no checksum errors on other packets (e.g. after a successfully
established session).

My guess is that the TCP timestamp option triggers a pf bug,
which then miscalculates a packet checksum on SYN ACK.
>How-To-Repeat:
Use the following trivial pf config file:

  scrub all reassemble tcp
  pass all

Then try to establish any TCP session to any IPv6 address.
Any client will do (telnet, ssh, curl, web browser).
Try for example:
  curl -6 -L http://tools.ietf.org/rfc/rfc3021.txt | wc -l

The connection will 'hang' for 9 seconds (until a sufficiently
dumbed-down SYN options are tried), then it proceeds normally.
>Fix:
No known fix.

Two workarounds:
- don't use 'scrub reassemble tcp' in PF, or disable PF
- sysctl net.inet.tcp.rfc1323=0

>Release-Note:
>Audit-Trail:

From: Mark Martinec <Mark.Martinec@ijs.si>
To: FreeBSD-gnats-submit@freebsd.org,
 freebsd-bugs@freebsd.org
Cc:  
Subject: Re: misc/172648: pf(4): 'scrub reassemble tcp' breaks IPv6 packet checksum on SYN ACK
Date: Sat, 13 Oct 2012 14:21:43 +0200

 Btw, the effect described here looks very similar,
 checksum errors on a SYN reply with IPv6 and pf:
 
 http://lists.freebsd.org/pipermail/freebsd-stable/2012-July/068990.html
 
   Regression with jails/IPv6/pf
   Matthew Seaman <m.seaman@infracaninophile.co.uk>
   Thu Jul 26 23:10:43 UTC 2012
 
 
 Mark
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Sat Oct 13 22:23:28 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172648 
>Unformatted:
