Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related
To: None <kern-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Arto Selonen <arto@selonen.org>
List: netbsd-bugs
Date: 03/01/2005 09:06:01
The following reply was made to PR kern/29560; it has been noted by GNATS.
From: Arto Selonen <arto@selonen.org>
To: Christos Zoulas <christos@zoulas.com>
Cc: gnats-bugs@netbsd.org, kern-bug-people@netbsd.org,
gnats-admin@netbsd.org
Subject: Re: kern/29560: latest ipfilter does not allow certain IPSEC related
traffic through
Date: Tue, 1 Mar 2005 11:04:58 +0200 (EET)
Hi!
On Mon, 28 Feb 2005, Christos Zoulas wrote:
> On Feb 28, 8:04pm, arto@selonen.org (arto@selonen.org) wrote:
> -- Subject: kern/29560: latest ipfilter does not allow certain IPSEC related
>
> Does this fix the problem?
[patch omitted]
Yes, it does. Testing the connection with HTTP traffic prior to patching
showed that larger responses never reached the client. For typical web
pages the server returned MTU sized (1500 bytes for the connection
between problem box and web server) packets, that got stuck in the problem
box, as it needed to fragment them to squeeze them into the IPSEC pipe.
DF was set, no need-to-fragment was sent, packets dropped (?, did not
check counters, though), no traffic flow.
After patching, the patched box responds to those larger packets (in
my case 1280 bytes was the largest that would fit into the IPSEC pipe)
with unreachable-need-to-frag ICMP message, and the server seems to adapt.
Traffic flows, problem solved.
My PR was far from reasonable, yet you have responded very quickly, and
with a seemingly complete fix. I apologize for my lack of self control,
as I should have been able to communicate my frustration in a more
constructive manner. And thank you for the quick fix!
Artsi
--
#######======------ http://www.selonen.org/arto/ --------========########
Everstinkuja 5 B 35 Don't mind doing it.
FIN-02600 Espoo arto@selonen.org Don't mind not doing it.
Finland tel +358 50 560 4826 Don't know anything about it.