I updated my home gateway from 4.5-stable to -current and consequently had to update the scrub part of my pf.conf.
Old: scrub on enc0 inet6 all max-mss 1362 scrub on enc0 inet all max-mss 1398 scrub in all scrub out on $ext4 all max-mss 1440 New: match on enc0 inet6 all scrub (max-mss 1362) match on enc0 inet all scrub (max-mss 1398) match out on $ext4 all scrub (max-mss 1440) Let's see how this works on enc0 (.1, ::1 is the gateway): 13:23:29.872301 (authentic,confidential): SPI 0x394de551: 172.16.1.98 > 172.16.1.1: 172.16.1.98.7007 > 172.16.0.1.22: S [tcp sum ok] 1091414420:1091414420(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1529218902 0> (DF) (ttl 64, id 55274, len 64) (DF) (ttl 64, id 57618, len 84) 13:23:29.872456 (authentic,confidential): SPI 0x96c33c4f: 172.16.1.1 > 172.16.1.98: 172.16.0.1.22 > 172.16.1.98.7007: S [tcp sum ok] 734342523:734342523(0) ack 1091414421 win 16384 <mss 1398,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3492388531 1529218902> (ttl 64, id 60777, len 64) (ttl 64, id 2922, len 84, bad cksum 0!) Weird. Why is max-mss only applied in the outgoing direction? Let's try IPv6: 13:24:35.948035 (authentic,confidential): SPI 0x05c55eb6: 2001:6f8:124a:1:20e:35ff:fee5:1333 > 2001:6f8:124a:1::1: 2001:6f8:124a:1:20e:35ff:fee5:1333.37002 > 2001:6f8:124a::1.22: S 146265356:146265356(0) win 16384 <mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3373752058 0> [flowlabel 0x73dae] (len 44, hlim 64) (len 84, hlim 64) 13:24:35.948203 (authentic,confidential): SPI 0x3add16a2: 2001:6f8:124a:1::1 > 2001:6f8:124a:1:20e:35ff:fee5:1333: 2001:6f8:124a::1.22 > 2001:6f8:124a:1:20e:35ff:fee5:1333.37002: S 608163183:608163183(0) ack 146265357 win 16384 <mss 1476,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 3665143149 3373752058> (len 44, hlim 64) (len 84, hlim 64) Huh, max-mss isn't applied at all. Are there any configuration pitfalls I missed? Or is scrub max-mss really broken? -- Christian "naddy" Weisgerber [email protected]
