I forgot to tell that I don't have any firewall rule on the ssh server,
and net.inet.tcp.path_mtu_discovery is set to 1.

A few more questions :
    - Why does ssh set the Dont-Fragment bit ?  This is maybe usual
      in today TCP/IP communications, as Path MTU Discovery slowly
      replaced fragmentation.

TCP always sets don't frag:
        /*
         * If we do path MTU discovery, then we set DF on every packet.
         * This might not be the best thing to do according to RFC3390
         * Section 2. However the tcp hostcache migitates the problem
         * so it affects only the first tcp connection with a host.
         */
        if (path_mtu_discovery)
                ip->ip_off |= IP_DF;

You can turn it off via this sysctl:

int path_mtu_discovery = 1;
SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW,
        &path_mtu_discovery, 1, "Enable Path MTU Discovery");

    - Why does Path MTU Discovery doesn't work here ?  I'm pretty
      sure that the ICMP Need-To-Frag packets are not filtered since
      I am able to see them outgoing from the Ethernet network card
      on the RELENG_4 router.


Does SSH use IPSEC AH ?
Just guessing here, but maybe the problems is (from icmp_input()):

                /*
                 * XXX if the packet contains [IPv4 AH TCP], we can't make a
                 * notification to TCP layer.
                 */
                ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
                if (ctlfunc)
                        (*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
                                   (void *)&icp->icmp_ip);



--
Dave Baukus
[EMAIL PROTECTED]                       
        Chiaro Networks Ltd.
        Richardson, Texas
        USA

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to