Re: possible regression handling packet fragmentation in 14.0 with tftp/pxe

Reply: Dag-Erling_Smørgrav : "Re: possible regression handling packet fragmentation in 14.0 with tftp/pxe"
In reply to: Dag-Erling_Smørgrav : "Re: possible regression handling packet fragmentation in 14.0 with tftp/pxe"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gerrit Kühn <gerrit.kuehn_at_aei.mpg.de>
Date: Mon, 22 Apr 2024 05:59:48 UTC

Am Fri, 19 Apr 2024 17:48:01 +0200
schrieb Dag-Erling Smørgrav <des@FreeBSD.org>:

> Since you control the routers and endpoints, I would suggest running
> tcpdump at various points to see what is the tunnel and pf are doing to
> the UDP packets.  They are presumably getting fragmented at some point,
> and hopefully reassembled somewhere else.

Yes, I can acces all tap, bridge, and ethernet interfaces along the way
(well, apart from what the pxe client actually receives, this is hidden
in its firmware).
However, I already did that last week but was not able to spot the
culprit (the packet being sent back to the pxe client machine is 1460
bytes, so it looks complete to me but is obviously not accepted on the
client's end). I'll probably have to read up more on tcpdump and
fragmentation handling first to get a better understanding of what I am
actually looking for.
Any idea what the "bad length 1460 > 1392" message on the 13.3 system
means (and why everything is still working)?

> Meanwhile you can also set the net.inet.udp.maxdgram sysctl to 1425 on
> the NFS server, as tftpd will cap the blocksize to that value.

That's an interesting hint I didn't see before. thanks. As the server is
used by a bunch of systems and the "-o" option works around the issue for
me right now, I will probably refrain from toying with the setting on the
production system and see if I can come up with a separate test setup
instead.
I am working on a new server machine that will come with a migration from
syslinux/mbr to ipxe/uefi and thus reduce the usage of tftp (it will only
be used for the first ipxe firmware/bootloader step then - bootmenu,
kernel and initramfs will be transferred over http). This might give me a
good test environment where I can try things without breaking the
production system.

As this appears to be different behaviour on 13.3 and 14.0, I had hoped
this might already be sufficient to ring a bell for someone here reading
this (like "oh, yes, there were changes in pf that cause different
handling of fragmented udp packets"). I hope I can soon dig up more
information.


cu
  Gerrit