Subject: Re: NAT vs PMTU-D
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Daniel Hartmeier <>
List: tech-net
Date: 04/17/2006 13:33:44
On Sun, Apr 16, 2006 at 11:17:53PM -0400, der Mouse wrote:

> - Large packet arrives from "inside"
> - NAT does nothing on input
> - ip_input calls ip_forward
> - ip_forward calls ip_output
> - ip_output calls the pfil_hook which NATs the packet
> - ip_output discovers the packet doesn't fit
> - ip_output calls icmp_error

I don't see how ip_output() would call icmp_error() itself. If the
packet size exceeds MTU and can't be fragmented, ip_output() simply
drops the packet and returns EMSGSIZE to ip_forward().

It is ip_forward() that calls icmp_error() when ip_output() returned an

But ip_forward() makes a copy of the packet (header) before calling
ip_output() on the original packet. If it later does generate an ICMP
error, it is based on that copy. Since the copy is pre-ip_output(), it
is not NATed, and the ICMP error should not refer to the NATed packet at

So, I'm puzzled at how you can actually see what you describe. I've only
checked -rHEAD sources, but this hasn't changed recently (i.e. the last
two years) AFAIK. Are you doing some encapsulation, where NAT happens on
the decapsulated layer and MTU fails on the encapsulated layer or
something like that?