From owner-freebsd-pf@freebsd.org Thu May 19 05:19:38 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3935FB4113A for ; Thu, 19 May 2016 05:19:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2A0681690 for ; Thu, 19 May 2016 05:19:38 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4J5JcJh029774 for ; Thu, 19 May 2016 05:19:38 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-pf@FreeBSD.org Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow Date: Thu, 19 May 2016 05:19:38 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: 10.2-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: emz@norma.perm.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 May 2016 05:19:38 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598 --- Comment #2 from emz@norma.perm.ru --- Sorry it took that long (I was kinda overwhelmed by the amount of work). So, same setup: A <---gre/ipsec---> B <---gre/ipsec---> C. 1) ipsec removed between A and B. The issue persists. 2) pf disabled on B. The issue is no more. 3) ipsec added on B, pf still disabled. The issue is no more. 4) ipsec still on, pf enabled on B. The issue is back. 5) ipsec enabled, pf enabled, the following line removed from pf on B: scrub on $oif from ! fragment reassemble The issue persists. 6) Line from previous point added back, removed the line scrub on gre0 max-mss 1360 where gre0 is the B <---> C tunnel and the issue is gone. But I don't understand how the MSS enforcing can affect the ICMP packets, w= hile it should only affect TCP. --=20 You are receiving this mail because: You are the assignee for the bug.=