Page MenuHomeFreeBSD

pf: work around icmp6 packet-too-big not being sent when binat-ing
ClosedPublic

Authored by kp on Jan 18 2024, 6:40 PM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, May 20, 10:49 AM
Unknown Object (File)
Mon, May 13, 4:05 AM
Unknown Object (File)
Mon, Apr 29, 3:28 AM
Unknown Object (File)
Apr 9 2024, 8:36 PM
Unknown Object (File)
Mar 17 2024, 2:08 AM
Unknown Object (File)
Mar 17 2024, 2:07 AM
Unknown Object (File)
Mar 17 2024, 2:07 AM
Unknown Object (File)
Mar 14 2024, 9:01 AM

Details

Summary

If we're applying NPTv6 we pass a packet with a modified source and/or
destination address to the network stack.

If that packet then turns out to be larger than the MTU of the sending
interface the stack will attempt to generate an icmp6 packet-too-big
error, but may fail to look up the appropriate source address for that
error message. Even if it does, pf would still have to undo the binat
operation inside the icmp6 packet so the sending host can make sense of
the error.

We can avoid both problems entirely by having pf also perform the MTU
check (taking the potential refragmentation into account), and
generating the icmp6 error directly in pf.

See also: https://redmine.pfsense.org/issues/14290
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable