Just to follow up, I don't know why it had the effect I was seeing with TCP dump, but I did finally locate some network filtering in libvirt and observed that I saw the problem with Debian Buster as the hypervisor, but not with Debian Bullseye, and also noticed that Bullseye had a file: /etc/libvirt/nwfilter/allow-ipv6.xml
I upgraded the buster machine to bullseye, not without some drama, and that has fixed my ipv6 connectivity problem. On Fri, Sep 9, 2022 at 1:34 PM Russell Senior <[email protected]> wrote: > > > On Fri, Sep 9, 2022 at 7:34 AM Paul Heinlein <[email protected]> wrote: > >> On Fri, 9 Sep 2022, Russell Senior wrote: >> >> > I'm seeing bizarre behavior: host A initiates an ssh -6 to host B; host >> B >> > is a qemu-kvm guest of a kvm host, C. Tcpdump (on the initiating host A >> > shows A -> B TCP SYN packet, and a B -> A TCP SYN-ACK reply, but host A >> > apparently doesn't recognize it as valid (although, in wireshark they >> look >> > reasonable to an eyeball), because the connect syscall never returns >> (until >> > it times out), and the A -> B ACK handshake is never sent. Works fine >> for >> > ssh -4. If A and C are the same host, I see the same behavior. Another >> > wrinkle: if A is also a kvm guest of C, I don't see the SYN-ACK, just >> the >> > SYN. The kvm clients are connected via a network bridge on C, e.g. >> "brctl >> > show" sees N+1 real ethernet interfaces eth0, ... ethN, and the M+1 >> > virtual interfaces associated with the kvm guests: vnet0 ... vnetM. >> There >> > are no netfilter rules to be seen on any of the hosts involved. >> > >> > Oh, and A can ping6 B, and vice versa, just fine. I'm only seeing this >> > weirdness with TCP. >> > >> > Anybody have any thoughts? This is violating my expectations. >> >> That is weird. Weirder still is the fact that I can duplicate those >> symptoms on my Mac that's hosting a Linux VM using the UTM hypervisor. >> ssh -6 fails but ping6 succeeds. >> > > Thankfully, it isn't a local distortion zone effect then, if you can > duplicate it. I am not sure who to even ask about it. Seems like a kernel > thing if the connect(2) syscall is timing out. > > >> >> -- >> Paul Heinlein >> [email protected] >> 45°22'48" N, 122°35'36" W >> >
