Project

General

Profile

Actions

Bug #3666

closed

PMTUD is broken for NATed traffic

Added by Chris Buechler over 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
Ermal Luçi
Category:
Operating System
Target version:
Start date:
05/17/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

Where you have an interface on a system with a lower MTU than other interfaces, send traffic larger than the MTU of the egress interface, and have pf enabled, you end up with a PMTUD black hole.

For example, simple LAN and WAN setup:
- set LAN to 1500 MTU and WAN to 1000
- send something from a host on LAN destined to something on WAN that's bigger than WAN's MTU with DF set, such as with hping:
hping3 -y -d 1400 -2 -p 12345 $dest_IP

where 12345 is the port and $dest_IP is an IP or hostname to send the traffic.

With pf enabled, the packet just disappears, the client gets nothing back. Disable pf, and you get back the appropriate "frag needed, DF set" ICMP error.

The above description and symptoms are specific to 2.2/10-STABLE, as of the most recent snapshot available at the time of this writing.


Files

broken-rules.debug (6.43 KB) broken-rules.debug Chris Buechler, 06/11/2014 05:59 AM
broken-pfctl-vvsr.txt (19.2 KB) broken-pfctl-vvsr.txt Chris Buechler, 06/11/2014 05:59 AM
broken-pfctl-vvsn.txt (2.09 KB) broken-pfctl-vvsn.txt Chris Buechler, 06/11/2014 05:59 AM
Actions

Also available in: Atom PDF