[Bug 264193] pf: scrub max-mss rule stops working (but still counts) after 13.1-RELEASE upgrade

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 04 Jun 2022 07:29:16 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=264193

--- Comment #2 from oleg@mamontov.net ---
Hello.

My test case looks more complicated, sorry about this. I reproduce it in bhyve
vms freshly installed from FreeBSD-13.0-RELEASE-amd64-disc1.iso and
FreeBSD-13.1-RELEASE-amd64-disc1.iso without any setup customizations.

Below is the preparations (the same for 13.0 and 13.1):
--------
# kldload pf
# touch /etc/pf.conf

# cat /tmp/pf.conf
scrub on epair1b proto tcp max-mss 1380
pass out route-to (epair1b 10.0.1.1) proto tcp to port 25

# cat /etc/jail.conf
mss {
    path = /;
    persist;

    vnet new;
    vnet.interface  = epair0b;
    vnet.interface += epair1b;

    exec.prestart  = "ifconfig epair0 create";
    exec.prestart += "ifconfig epair0a inet 10.0.0.1/24";
    exec.prestart += "ifconfig epair1 create";
    exec.prestart += "ifconfig epair1a inet 10.0.1.1/24";

    exec.start  = "ifconfig epair0b inet 10.0.0.2/24";
    exec.start += "ifconfig epair1b inet 10.0.1.2/24";
    exec.start += "route add default 10.0.0.1";
    exec.start += "service pf onestart";
    exec.start += "pfctl -f /tmp/pf.conf";

    exec.poststop  = "ifconfig epair0a destroy";
    exec.poststop += "ifconfig epair1a destroy";
}

# service jail onestart mss
Starting jails: mss.
--------

Now testing on 13.0-RELEASE:
--------
# jexec mss telnet -N 1.2.3.4 25
Trying 1.2.3.4...

# tcpdump -ni epair1a
10:18:27.724252 IP 10.0.0.2.43516 > 1.2.3.4.25: Flags [S], seq 1151646480, win
65535, options [mss 1380,nop,wscale 6,sackOK,TS val 518156570 ecr 0], length 0
----------------------------


The same on  13.1-RELEASE:
--------------------------
# jexec mss telnet -N 1.2.3.4 25
Trying 1.2.3.4...

# tcpdump -ni epair1a
10:24:27.627525 IP 10.0.0.2.42802 > 1.2.3.4.25: Flags [S], seq 2537751742, win
65535, options [mss 1460,nop,wscale 6,sackOK,TS val 185378837 ecr 0], length 0
----------------------------


I believe you can see the difference (mss 1380 vs 1460).
Thank you.

-- 
You are receiving this mail because:
You are on the CC list for the bug.