IPv6 TCP sessions hangs when using PF keep state

[iMil <imil%home.imil.net@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I'm using PF as my gateway's packet filter for a while, and I
notice weird behaviours since I upgraded that server to NetBSD 6.0.

That machine has two NIC, one connected to an ADSL modem, the other
one connected to two tagged VLANs. IPv6 connectivity is enabled via
a gre(4) tunnel using the public (ADSL) interface.

- From the gateway itself, everything runs fast and smooth, I can
access every IPv6 service without any lag. But from the machines
located on the private VLAN, behind the gateway, I am witnessing
"hangs" while receiving HTTP data, but also during SSH sessions.

I spent quite a lot of time trying various techniques like
reducing the MTU on different interfaces, and finally I tried
flushing PF rules, which led to fully functionnal IPv6
sessions.
Digging a little bit further, a friend suggested to add a
pass with "no state" on the private interface of the gateway,
and as a matter of fact, IPv6 traffic is still working. But as
soon as I get rid of this rule, I still witness hangs.
Also, even if the only rules loaded by PF are plain pass, IPv6
TCP sessions will also hang.

Does this behaviour rings a bell to anyone?

- ------------------------------------------------------------------
Emile "iMil" Heitor .°. <imil@{home.imil.net,NetBSD.org,gcu.info}>
                                                                _
              | http://imil.net        | ASCII ribbon campaign ( )
              | http://www.NetBSD.org  |  - against HTML email  X
              | http://gcu.info        |              & vCards / \

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (NetBSD)

iD8DBQFQ6XsUFG3BlGWyzUIRAumcAJ9kem5FVQKD5Q+dTvHkj4b2IUPk+ACaAshx
8CR7x+0mrIrmyGDzjOSK0oc=
=XJZ3
-----END PGP SIGNATURE-----