I forgot to tell that I don't have any firewall rule on the ssh server,
and net.inet.tcp.path_mtu_discovery is set to 1.
A few more questions :
- Why does ssh set the Dont-Fragment bit ? This is maybe usual
in today TCP/IP communications, as Path MTU Discovery slowly
replaced fragmentation.
TCP always sets don't frag:
/*
* If we do path MTU discovery, then we set DF on every packet.
* This might not be the best thing to do according to RFC3390
* Section 2. However the tcp hostcache migitates the problem
* so it affects only the first tcp connection with a host.
*/
if (path_mtu_discovery)
ip->ip_off |= IP_DF;
You can turn it off via this sysctl:
int path_mtu_discovery = 1;
SYSCTL_INT(_net_inet_tcp, OID_AUTO, path_mtu_discovery, CTLFLAG_RW,
&path_mtu_discovery, 1, "Enable Path MTU Discovery");
- Why does Path MTU Discovery doesn't work here ? I'm pretty
sure that the ICMP Need-To-Frag packets are not filtered since
I am able to see them outgoing from the Ethernet network card
on the RELENG_4 router.
Does SSH use IPSEC AH ?
Just guessing here, but maybe the problems is (from icmp_input()):
/*
* XXX if the packet contains [IPv4 AH TCP], we can't make a
* notification to TCP layer.
*/
ctlfunc = inetsw[ip_protox[icp->icmp_ip.ip_p]].pr_ctlinput;
if (ctlfunc)
(*ctlfunc)(code, (struct sockaddr *)&icmpsrc,
(void *)&icp->icmp_ip);
--
Dave Baukus
[EMAIL PROTECTED]
Chiaro Networks Ltd.
Richardson, Texas
USA
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
