[Bug 207598] pf adds icmp unreach on gre/ipsec somehow

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue May 24 06:49:41 UTC 2016


--- Comment #5 from Kristof Provost <kp at freebsd.org> ---
(In reply to Max from comment #3)
Scrubbing in both directions should be safe, even with fragment reassemble.
In IPv4 it's OK for a frame to not fit in the MTU. The router will fragment.
(There's special casing in pf to handle the IPv6 scenario, but that doesn't
seem to be relevant here.)

It's also very strange that the mss setting has an influence on ICMP packets.
I'd only expect that to affect TCP streams.

It'd be interesting to get packet captures here (tcpdump -n -i <interface> -s0
-w output.pcap) of both the ICMP echo request and the ICMP error packets.
Ideally capture on an interface outside the GRE tunnel (so we get the GRE
headers too).

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-pf mailing list