Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 16 Feb 2026 20:27:02 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 293227] VNET jail regression on 14-STABLE from 14.3 using bridge and epair
Message-ID:  <bug-293227-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293227

            Bug ID: 293227
           Summary: VNET jail regression on 14-STABLE from 14.3 using
                    bridge and epair
           Product: Base System
           Version: 14.3-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: kern
          Assignee: bugs@FreeBSD.org
          Reporter: tom@eborcom.com

I am running a recent 14-STABLE (14-n273651-d7207388cc58) and I see a network
regression from 14.3-RELEASE running VNET jails using bridge(4) and epair(4).

The problem occurs when a client receives data from an IPv6 TCP server running
in a VNET jail when the jail has a larger MTU than either the client or another
device that packets route through.  I noticed this using a wg(4) tunnel with
mtu 1420 between the client and server.

On 14.3-RELEASE, the jail receives an "ICMP6, packet too big" message which
causes it to send smaller packets, but on 14-STABLE the jail repeatedly
receives these ICMP messages but does not decrease the size of packets it
sends.

I first noticed this problem running an nginx server in the jail and curl(1) on
the client, but can also reproduce it running nc(1).

To reproduce the problem, create a VNET jail using bridge(4) in epair(4), with
the bridge and jailed epair interface having IPv6 addresses within the same
prefix.  The jail host needs the "net.inet6.ip6.forwarding" sysctl set.  The
client needs to have a smaller mtu that the jail's bridge and epair interfaces,
which default to 1500.

I notice that 503bf058cd0 was committed to STABLE-14 after 14.3 release to
checksum offloading support for epair, but I don't know if this matters.

Please let me know if you would like me to run any specific diagnostic
commands, test experimental code, or if you need more detail about what I
observe.

-- 
You are receiving this mail because:
You are the assignee for the bug.
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-293227-227>