With the state of the "art" in packet filtering these days, many sites
block ALL ICMP, not just the stuff that is commonly abused.  This, of
course, breaks PMTU.

So, one hack I made to the GRE driver was to never set the DF bit on
outgoing outer layer packets.  this suddenly made web sites that I
couldn't reach reachable.

It may violate a spec here or there, but I'd trade no-operation for
fragmentation any day...

--Michael

Jason R Thorpe <thorpej@zembu.com> writes:

> I looked at each of those RFCs... It's been a while since I made the change,
> so I may be remembering incorrectly, but I'm almost certain that each of
> them said that if the DF bit is present on the inner packet, it must be
> present on the outer packet as well.
> 
> If I read it wrong, well... let's fix it, I guess.  The previous behavior
> wasn't exactly optimal, either :-)
> 
> -- 
>         -- Jason R. Thorpe <thorpej@zembu.com>