Here's a story for you...I noticed a problem tonight where some emails would get stuck in my mail relay VPS when it was trying to send them to my local mail server in my home network. (postfix complained of "timeout in DATA")
So I investigated and after much messing with postfix I started sending test files to first the mail server, then the xen dom0 it lives on and finally another host on my network (an SGI Octane running IRIX).
All exhibited the problem, except if I sent the file to the gateway/ipv6 tunnel endpoint, that worked.
So I tcpdumped both the internal interface (wm0) and the tunnel endpoint (gif0) and found that after sending about 40kb of data in one tcp connection from an external host to a host in my network, an ACK packet would arrive on wm0 but not get sent out on gif0, and I'd see repeat SYNs coming in on the gif0 where the remote host was trying to retransmit the same packet that it didn't get an ACK for.
After much random messing about I looked at my pf config, but it seemed ok, there were no block rules that could possibly match, but I commented out everything related to ipv6 anyway, and tested again. Now sending the file worked. Obviously something was breaking so I re-enabled the rules one by one and found that the ACK packet would not pass through the gateway if there was ANY "pass in" rule on the gif0 OR "pass out" rule on the wm0. This triggers the issue:
pass in on gif0 OR pass out on wm0 inet6 That's it. Block in on gif0 rules work and pass out on gif0 rules work.There seems to be no issue with having lots of ipv4 rules, since this system is in use I don't want to disable the ipv4 rules.
Can someone explain what's going on here? The system is a Soekris 6501 running 7.1_STABLE from April 9 2017, it's been up for 160 days.
I included pcap files if that helps. Staffan
Attachment:
gif0.pcap
Description: Binary data
Attachment:
wm0.pcap
Description: Binary data