Page MenuHomeFreeBSD
Differential D43499

pf: work around icmp6 packet-too-big not being sent when binat-ing
ClosedPublic
Actions

Authored by kp on Jan 18 2024, 6:40 PM.
Tags
None
Referenced Files
F115444549: D43499.diff
Wed, Apr 23, 9:58 PM
Unknown Object (File)
Sun, Apr 6, 1:06 PM
Unknown Object (File)
Fri, Mar 28, 5:33 AM
Unknown Object (File)
Mar 3 2025, 2:25 PM
Unknown Object (File)
Feb 26 2025, 11:09 PM
Unknown Object (File)
Feb 10 2025, 12:59 AM
Unknown Object (File)
Feb 5 2025, 11:29 AM
Unknown Object (File)
Feb 4 2025, 8:21 AM
View All 65 Files
Subscribers
ae
farrokhi
glebius
imp
melifaro

Details

Reviewers
None
Group Reviewers
network
pfsense
Commits
rG54c62e3e5d8c: pf: work around icmp6 packet-too-big not being sent when binat-ing
Summary

If we're applying NPTv6 we pass a packet with a modified source and/or
destination address to the network stack.

If that packet then turns out to be larger than the MTU of the sending
interface the stack will attempt to generate an icmp6 packet-too-big
error, but may fail to look up the appropriate source address for that
error message. Even if it does, pf would still have to undo the binat
operation inside the icmp6 packet so the sending host can make sense of
the error.

We can avoid both problems entirely by having pf also perform the MTU
check (taking the potential refragmentation into account), and
generating the icmp6 error directly in pf.

See also: https://redmine.pfsense.org/issues/14290
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 55481
Build 52370: arc lint + arc unit

Revision Contents
Changeset List

PathSize
sys/
net/
1 line
netpfil/
pf/
12 lines
15 lines

Diff 132948

View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.c

Loading...
View Options

sys/netpfil/pf/pf_norm.c

Loading...