HomeFreeBSD

pf: work around icmp6 packet-too-big not being sent when binat-ing

Description

pf: work around icmp6 packet-too-big not being sent when binat-ing

If we're applying NPTv6 we pass a packet with a modified source and/or
destination address to the network stack.

If that packet then turns out to be larger than the MTU of the sending
interface the stack will attempt to generate an icmp6 packet-too-big
error, but may fail to look up the appropriate source address for that
error message. Even if it does, pf would still have to undo the binat
operation inside the icmp6 packet so the sending host can make sense of
the error.

We can avoid both problems entirely by having pf also perform the MTU
check (taking the potential refragmentation into account), and
generating the icmp6 error directly in pf.

See also: https://redmine.pfsense.org/issues/14290
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D43499

Details

Provenance
kpAuthored on Jan 17 2024, 5:11 PM
Differential Revision
D43499: pf: work around icmp6 packet-too-big not being sent when binat-ing
Parents
rGf7d3d0a4ded3: sound: use device_set_descf() to set device descriptions
Branches
Unknown
Tags
Unknown