On Mon, Feb 05, 2001 at 07:38:12AM +0900, itojun@iijlab.net wrote:
> 
> >I have a bit of a problem with NAT and ICMP and haven't been able to
> >find the answer in the ipfilter documentation. I hope you can give me
> >a hint whether and how this can be fixed. I have the following setup:
> >
> >client <=> gif tunnel MTU=1280 <==> NAT <==> Outside world
> >
> >Problem is that TCP connections to servers using PMTU discovery faisl
> >as the internal IP-addresses in ICMP messages do not get translated.
> >The NAT machine sends out ICMP mesgs like:
> >
> >17:35:40.185184 129.242.16.119 > 193.166.3.2: icmp: 10.1.1.2 unreachable - need to frag (mtu 1280) (ttl 255, id 35140)
> >
> >Rewriting these addrs in ICMP msg is maybe not perfectly correct, but
> >it would make my setup work. So, I'd like to know whether there's some
> >rule I can add for this.
> 
> 	NAT = ipnat (in ipfilter)?
Yes, on NetBSD-1.5.1 branch.

> 	then, this should be the same problem as PR 10993.  not sure
Ah, should've checked the PR database first...

> 	if recent ipfilter corrects it or not.
> 	http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=10993
Hmmm, the PR says a fix is available from recent ipfilter source or
netbsd-current. If so, it would be nice to see it appear on the 1.5.1
branch...

Feico.