From owner-freebsd-pf@freebsd.org  Tue May 24 06:49:41 2016
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5A26EB4893D
 for <freebsd-pf@mailman.ysv.freebsd.org>; Tue, 24 May 2016 06:49:41 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3CEFB1A8C
 for <freebsd-pf@FreeBSD.org>; Tue, 24 May 2016 06:49:41 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id u4O6ncMU051747
 for <freebsd-pf@FreeBSD.org>; Tue, 24 May 2016 06:49:41 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-pf@FreeBSD.org
Subject: [Bug 207598] pf adds icmp unreach on gre/ipsec somehow
Date: Tue, 24 May 2016 06:49:39 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 10.2-STABLE
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: kp@freebsd.org
X-Bugzilla-Status: New
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-pf@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-207598-17777-Ryxepilyb5@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/>
References: <bug-207598-17777@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2016 06:49:41 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D207598

--- Comment #5 from Kristof Provost <kp@freebsd.org> ---
(In reply to Max from comment #3)
Scrubbing in both directions should be safe, even with fragment reassemble.
In IPv4 it's OK for a frame to not fit in the MTU. The router will fragment.
(There's special casing in pf to handle the IPv6 scenario, but that doesn't
seem to be relevant here.)

It's also very strange that the mss setting has an influence on ICMP packet=
s.
I'd only expect that to affect TCP streams.

It'd be interesting to get packet captures here (tcpdump -n -i <interface> =
-s0
-w output.pcap) of both the ICMP echo request and the ICMP error packets.
Ideally capture on an interface outside the GRE tunnel (so we get the GRE
headers too).

--=20
You are receiving this mail because:
You are the assignee for the bug.=