On 23.12.2019 13:55, Eugene Grosbein wrote: >> I think the real problem is that PMTUD doesn't work correctly with >> IPsec. Linux has special sysctl variabl ip_no_pmtu_disc and flag >> SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF >> flag will not be set. We can add some similar quirks, but it would be >> better to fix PMTUD. We already have hundreds sysctl in our system and >> remembering all them is a problem too. > > It's true that PMTUD does not work with IPSec transport mode. > > I think we could just clear DF bit off encapsulated transport mode packets > unconditionally, > please take a look at last chunk of sample patch in the PR 242744: > https://bz-attachments.freebsd.org/attachment.cgi?id=210122 > > Sample patch creates another sysctl but we should do it unconditionally, > don't we?
As I said I didn't find that other OSes do this. Linux has enabled by PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag, OpenBSD hasn't such quirk. Why should we add this instead of try to fix PMTUD? -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
