Hello Marios
DF bit shouldn't be cleared, because it's necessary for PMTUD (Path MTU
Discovery). There is also nothing amazing, that packets has DF flag set
(it depends on operating system)
> Hello misc@,
>
> I currently have a VM running as a NAT64 gateway.
> It is running OpenBSD 5.3 with the vio stability patch.
>
> I have the following pf.conf:
>
> pass in inet6 proto { tcp, udp, icmp6 } from <network> to <pref64>
> af-to inet from $ipv4_addr
>
> While this works fine in one environnment, the same VM
> moved on a different host doesn't work properly.
> Specifically, packets are matched by the rule, I can see them
> leave the interface with tcpdump, but I never receive a response
> from the remote host.
>
> While investigating the issue, I noticed that when sending a ping
> from a host behind the NAT64 gateway, the IPv4 packet sent contains
> the DF (don't fragment) flag.
>
> I am suspecting the host might be blackholing all packets having the
> DF flag set,
> which is why the translation won't work there.
>
> I have the two questions below:
> - Is this behavior expected ? It affects all IPv4 packets created.
> - Is there a way to clear the DF flag on the packet created by the af-to
> rule ?
>
> I have tried adding the following rule after the pass :
> match out scrub (no-df)
>
> But to no success. I added the 'log' keyword but it seems the match
> rule is never matched.
>
> Thanks,
>
> Marios
