tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: IPv6 TCP sessions hangs when using PF keep state

On Monday, at 11:50, Anthony Mallet wrote:
| | I'm using PF as my gateway's packet filter for a while, and I
| | notice weird behaviours since I upgraded that server to NetBSD 6.0.

Another issue that I just discovered (man pf.conf) : Currently, only IPv4
fragments are supported and IPv6 fragments are blocked unconditionally.

This means that if you initiate a TCP connection with a big MSS (e.g. 1460 on a
gif tunnel with a 1480 MTU), the connection will eventually stall if the
other part starts sending ipv6-frag packets.

You might want to try to clamp the mss of outgoing connections with "max-mss
1420" if you have a MTU of 1480.

Home | Main Index | Thread Index | Old Index