Hi,
* Alexander Bluhm wrote:
> On Mon, Jun 21, 2021 at 09:40:06AM +0200, Alexandr Nedvedicky wrote:
> > looks like there must be yet another code path, which
> > enters the recursion.
>
> Yes.
>
> Do you use routing domains in pf? Do you have reject or blackhole
> routes?
No, not that I am aware of. I use the default pf.conf and made no
modifcation.
> Please send:
> - netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 10.0.5.163 UGS 0 0 - 6 enc0
default 172.23.5.1 UGS 10 481 - 8 trunk0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
10.0.5.163 enc0 UHLhl 1 2 - 1 enc0
10.0.5.163/32 10.0.5.163 UCn 0 0 - 4 enc0
82.165.126.225 172.23.5.1 UGHS 0 0 - 6 trunk0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 2 1184 32768 1 lo0
172.23.5/24 172.23.5.36 UCn 1 413 - 4 trunk0
172.23.5.1 cc:ce:1e:8b:cf:cf UHLch 2 1024 - 3 trunk0
172.23.5.36 50:7b:9d:73:aa:8a UHLl 0 486 - 1 trunk0
172.23.5.255 172.23.5.36 UHb 0 0 - 1 trunk0
Internet6:
Destination Gateway Flags Refs
Use Mtu Prio Iface
default fd5b:24b3:ff78:23::5d0:7466 UGS 0
0 - 6 enc0
default fe80::cece:1eff:fe8b:cfcf%trunk0 UGS
2 114 - 8 trunk0
::/96 ::1 UGRS 0
0 32768 8 lo0
::1 ::1 UHhl 14
8156 32768 1 lo0
::ffff:0.0.0.0/96 ::1 UGRS 0
0 32768 8 lo0
2001:16b8:245e:b00::/64 2001:16b8:245e:b00:7e06:208a:22a4:3ac5 UCPn
1 1 - 4 trunk0
2001:16b8:245e:b00::/64 2001:16b8:245e:b00:e8a5:4adc:6b84:a7ed UCPn
0 0 - 4 trunk0
2001:16b8:245e:b00:7e06:208a:22a4:3ac5 50:7b:9d:73:aa:8a UHLl
0 0 - 1 trunk0
2001:16b8:245e:b00:bbbe:4458:681c:493f link#5 UHLc
0 67 - 3 trunk0
2001:16b8:245e:b00:e8a5:4adc:6b84:a7ed 50:7b:9d:73:aa:8a UHLl
0 7 - 1 trunk0
2002::/24 ::1 UGRS 0
0 32768 8 lo0
2002:7f00::/24 ::1 UGRS 0
0 32768 8 lo0
2002:e000::/20 ::1 UGRS 0
0 32768 8 lo0
2002:ff00::/24 ::1 UGRS 0
0 32768 8 lo0
fd00:23:42:5::/64 fd00:23:42:5:c019:d20a:d1e:a33f UCPn 1
1 - 4 trunk0
fd00:23:42:5::/64 fd00:23:42:5:c0e8:a8d9:b26c:d589 UCPn
0 0 - 4 trunk0
fd00:23:42:5:c019:d20a:d1e:a33f 50:7b:9d:73:aa:8a UHLl 0
68 - 1 trunk0
fd00:23:42:5:c0e8:a8d9:b26c:d589 50:7b:9d:73:aa:8a UHLl 0
7 - 1 trunk0
fd00:23:42:5:cece:1eff:fe8b:cfcf cc:ce:1e:8b:cf:cf UHLc 1
609 - 3 trunk0
fd5b:24b3:ff78:23::5d0:7466 enc0 UHLhl 1
2 - 1 enc0
fe80::/10 ::1 UGRS 0
2 32768 8 lo0
fec0::/10 ::1 UGRS 0
0 32768 8 lo0
fe80::1%lo0 fe80::1%lo0 UHl 0
0 32768 1 lo0
fe80::%trunk0/64 fe80::527b:9dff:fe73:aa8a%trunk0 UCn
1 2 - 4 trunk0
fe80::527b:9dff:fe73:aa8a%trunk0 50:7b:9d:73:aa:8a UHLl 0
320 - 1 trunk0
fe80::cece:1eff:fe8b:cfcf%trunk0 cc:ce:1e:8b:cf:cf UHLch 1
1046 - 3 trunk0
ff01::/16 ::1 UGRS 2
4 32768 8 lo0
ff01::%lo0/32 fe80::1%lo0 Um 0
1 32768 4 lo0
ff01::%trunk0/32 fe80::527b:9dff:fe73:aa8a%trunk0 Um
0 4 - 4 trunk0
ff02::/16 ::1 UGRS 2
4 32768 8 lo0
ff02::%lo0/32 fe80::1%lo0 Um 0
1 32768 4 lo0
ff02::%trunk0/32 fe80::527b:9dff:fe73:aa8a%trunk0 Um
0 5 - 4 trunk0
> - a description which routes are used for IPsec
172.23.5.1 is my local default gw, 82.165.126.225 is the IP address of the ipsec
server. 10.0.5.0/24 and fd5b:24b3:ff78:23::/48 are the networks on the
VPN tunnel.
> - ipsecctl -s flow
flow esp in from 0.0.0.0/0 to 10.0.5.163 peer 82.165.126.225 type require
flow esp out from 10.0.5.163 to 0.0.0.0/0 peer 82.165.126.225 type require
flow esp in from ::/0 to fd5b:24b3:ff78:23::5d0:7466 peer 82.165.126.225 type
require
flow esp out from fd5b:24b3:ff78:23::5d0:7466 to ::/0 peer 82.165.126.225 type
require
> - pf rules that affect rdomains or rtable.
Nothing on my side, I use the pf.conf Revision 1.55
> I guess that path MTU discovery does not work in your case. It
> recurses over tcp_mtudisc().
>
> If it is a reject route, this check in icmp_mtudisc_clone() could
> prevent that my fix works.
>
> /* IPsec needs the route only for PMTU, it can use reject for that */
> if (!ipsec && (rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)))
> goto bad;
>
> Could you try this diff?
Sure, will compile a kernel and try to reproduce.
Cheers
Matthias
