Bug #16614
open
Connections from the firewall itself fail with oversize packets and TSO enabled
100%
Description
The firewall (pf) can receive packets that don't fit the interface MTU. This can happen when the packet should not be fragmented (e.g. with IPv6, or IPv4 flagged with DF) and TSO is enabled. When this happens for connections from the firewall itself the connection is terminated.
To reproduce, on the firewall run openssl s_client -connect '[2610:160:11:11::69]:443' -tls1_3. This results in the connection failing with the output write:errno=13.
Updated by Marcos M 21 days ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Fixed with https://cgit.freebsd.org/src/commit/?id=2e7699355f08258365fb5f65d11ac297e20f78de
This will be picked up with the next upstream merge.
Updated by Jim Pingle 7 days ago
- Subject changed from Connections from the firewall itself fail when packets are too big to Connections from the firewall itself fail with oversize packets and TSO enabled
Worth noting that TSO is disabled by default, so someone would have to have gone out of their way to enable TSO, which is not a recommended practice. And to work around it, all they have to do is check the box to disable TSO again.
Additionally, while it is possible in theory for this to happen on IPv4, it primarily affects IPv6.
Updated by Jim Pingle 7 days ago
Added an errata entry to the 25.11 release notes: https://docs.netgate.com/pfsense/en/latest/releases/25-11.html#ipv6-connection-failures-with-tso-enabled
Updated by Jim Pingle 6 days ago
- Plus Target Version changed from 26.03 to 25.11.1