# 9.1 and outgoing tcp6: Operation timed out



## uisge (Dec 29, 2012)

Hi --

I came across an issue with outgoing tcp6 connections after upgrading to 9.1-RELEASE. 

Whenever I try to connect to a distant IPv6 service using tcp6 I do run into timeouts, e.g.:

```
9.1> nc -6vw 1 a:b:c:d::1 53
nc: connect to a:b:c:d::1 port 53 (tcp) failed: Operation timed out
```

If I disable pf, I'll succeed:


```
9.1> pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled

9.1> nc -6vw 1 a:b:c:d::1 53
Connection to a:b:c:d::1 53 port [tcp/domain] succeeded!
```

The relevant part of tcpdump snippet at the outgoing server looks like:

```
9.1> tcpdump  -n -e -ttt -s 256 -vvv -p -i em0

ethertype IPv6 (0x86dd), length 94: (flowlabel 0xd704f, hlim 64, next-header TCP (6) payload length: 40) w:x:y:z::1.60238 > a:b:c:d::1.53: Flags [S], cksum 0x9471 (incorrect -> 0x7830), seq 406663917, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 35873618 ecr 0], length 0
```

My pf rule regarding outgoing tcp6 is simply:

```
pass out log on em0 inet6 proto tcp all flags S/SA modulate state
```

I did try "flags any" and/or "no state", but to no avail.

I did test with and seeing thea issue regarding tcp6:

	RELEASE #0 r244594
	PRERELEASE #0 r244694
	PRERELEASE (GENERIC) #0 r244811

There is no issue with 9.0-RELEASE-p5 (r244773) and the very same pf configuration. It just happened after upgrading to 9.1-RELEASE.

Is anyone else experiencing the same issue?


P.S. upd6 works as expected.


----------



## gkontos (Dec 29, 2012)

Just a snippet from an IPv6 rule I use:


```
###outbound IPv6 tcp, udp  traffic, no randomize needed.
pass out log on $ext_if inet6 proto { tcp, udp} from any to any
```

The system is FreeBSD 9.1-RELEASE #1 r243750

Edit. I just so that you are using: flags S/SA modulate state

Don't do that in IPv6. You don't either need the keep state statement because it is implied.


----------



## uisge (Dec 29, 2012)

gkontos said:
			
		

> Edit. I just so that you are using: flags S/SA modulate state
> 
> Don't do that in IPv6. You don't either need the keep state statement because it is implied.



Thanks. I had had modulate state set in my pass out  rule. I've changed that to:

```
pass out log on $extIF inet6 proto {tcp, udp} all
```

Now, its working as expected.

But, just out of curiosity: What did change between 9.0 and 9.1, that made the very same pass out rule break?

Thanks very much  for your help!


----------



## gkontos (Dec 29, 2012)

uisge said:
			
		

> But, just out of curiosity: What did change between 9.0 and 9.1, that made the very same pass out rule break?



modulate state randomizes the initial sequence number. I think that this is something that might actually "confuse" the state table when it comes to IPv6. 

The same thing applies to synproxy state which also does not work with IPv6.


----------

