Skip to content

TLS_FORWARD can get stuck on broken addresses (v5.3.0)

With normal TLS-forwarding config, e.g.:

policy.add(policy.all(policy.TLS_FORWARD({
	{ '8.8.8.8', hostname='dns.google' },
	{ '8.8.4.4', hostname='dns.google' },
	{ '2001:4860:4860::8888', hostname='dns.google' },
	{ '2001:4860:4860::8844', hostname='dns.google' },
})))

but part of addresses disabled, e.g.

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1

some queries get stuck in a very long "loop" of attempting connection to the non-working IPs, even though half of them works. Example log snippet: tls_forward.log

!1143 (merged) doesn't trigger here; it wasn't meant for forwarding and individual addresses might be broken for other reasons anyway.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information