On Sat, 20 Nov 2010 07:48:58 -0500, Greg Troxel <gdt%ir.bbn.com@localhost> wrote:
pf has a bug* where if it isn't keeping state then tcp packets with the wscale option set (in the syn, but not in the packet of interest) can be dropped as out-of-window. So make sure you are keeping state and see ifthat helps.Run tcpdump and look at all the packets, and use pfctl to get counts and stats. This is standard debugging advice but definitely in order here.* 99% sure - really figuring this out and fixing is on my todo list.
Hi,Thanks for taking the time. After quite a bit of tcpdump and pfctl later, it does seem to be a state issue on IPv6. The state is being created, by the rule that is interpreted as "pass out quick all flags S/SA keep state" according to pfctl, but for some reason it appears the packets coming back don't match it, and therefore aren't passed. They're caught by the catch-anything-else "block drop all" rule.
Doing "sysctl -w net.inet6.tcp6.win_scale=0" changes nothing. (and, curiously, but completely unrelated, although there seems to be 2 sysctls for win_scale, one IPv4 and one IPv6, changing one seems to change the other).
Any more thoughts or troubleshooting suggestions are more than welcome, and thanks again,
Phil