Date: Thu, 19 May 2016 05:19:38 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Message-ID: <bug-207598-17777-qsQiRGIbhg@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/> References: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #2 from emz@norma.perm.ru --- Sorry it took that long (I was kinda overwhelmed by the amount of work). So, same setup: A <---gre/ipsec---> B <---gre/ipsec---> C. 1) ipsec removed between A and B. The issue persists. 2) pf disabled on B. The issue is no more. 3) ipsec added on B, pf still disabled. The issue is no more. 4) ipsec still on, pf enabled on B. The issue is back. 5) ipsec enabled, pf enabled, the following line removed from pf on B: scrub on $oif from !<voippbxes> fragment reassemble The issue persists. 6) Line from previous point added back, removed the line scrub on gre0 max-mss 1360 where gre0 is the B <---> C tunnel and the issue is gone. But I don't understand how the MSS enforcing can affect the ICMP packets, w= hile it should only affect TCP. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-207598-17777-qsQiRGIbhg>