I noticed recently that I had a problem with path MTU discovery and in experimenting a bit to find the problem, I think I found a bug.
In order to make PMTU discovery work, the firewall has to pass ICMP type 3 code 4 packets. Mine was dropping them. I think it was just dropping the ones that originated on the firewall, but I'm not 100% sure.
I had defined an fwbuilder rule to pass those packets. The script code generated looked like:
$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -m state --state NEW -j ACCEPT
The problem was that the ICMP packets generated on the firewall (which was trying to route the packets down an interface with a smaller MTU -- an IPSEC connection, to be precise) show up with state INVALID, so the rule wasn't matching them. As I understand it, this is what they should be. They're not ESTABLISHED or RELATED because they're not part of nor related to an existing connection, and they're not NEW, because they're not part of a "connection" at all (as I understand it). So they're INVALID.
By hand-editing the generated script, I can fix the problem, either by removing the --state clause completely, or by adding INVALID to the list of matchable states.
Thanks,
Shawn.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I noticed recently that I had a problem with path MTU discovery and in experimenting a bit to find the problem, I think I found a bug.
In order to make PMTU discovery work, the firewall has to pass ICMP type 3 code 4 packets. Mine was dropping them. I think it was just dropping the ones that originated on the firewall, but I'm not 100% sure.
I had defined an fwbuilder rule to pass those packets. The script code generated looked like:
$IPTABLES -A OUTPUT -p icmp --icmp-type 3 -m state --state NEW -j ACCEPT
The problem was that the ICMP packets generated on the firewall (which was trying to route the packets down an interface with a smaller MTU -- an IPSEC connection, to be precise) show up with state INVALID, so the rule wasn't matching them. As I understand it, this is what they should be. They're not ESTABLISHED or RELATED because they're not part of nor related to an existing connection, and they're not NEW, because they're not part of a "connection" at all (as I understand it). So they're INVALID.
By hand-editing the generated script, I can fix the problem, either by removing the --state clause completely, or by adding INVALID to the list of matchable states.
Thanks,
Shawn.
right click in the column "Options" in this rule, then check checkbox to make this rule stateless. This will remove "--state NEW" completely.