On 6/8/20 8:13 AM, Simon Hobson wrote: > I am really not an expert in IPv6 :-(
heh. is _anyone_? much voudou req'd! ;-) > will drop it AND send back an ICMP6 PTB (Packet Too Big) message to the > source - thus explicitly telling the source to use smaller packets for that > flow. If the PTB packets are filtered, then the mechanism fails. > > This can occur at any hop, and in the test cases you've found, they will be > artificially simulating this as a test. 1280 won't be configured on any of > your systems, IIRC it's the minimum packet size supported in IPv6. chatting with the @testsite admin, the fallback is, in fact, intentional. as you surmised, as a a test. _if_ i'm reading all this corretly, the fallback _should_ happen it appears it's done with low-overhead once per flow ... i'm still unclear whether it's to be 'fixed' or 'avoided' by mss etc. config in SW, or whether i'm being told "all good!" > IIRC, by default Shorewall6 will configure the rules needed to allow > mandatory ICMP6 packets through. Have you perhaps added some of your own that > could be dropping them ? not that i've intended. i _have_ been monkeying a great deal trying to get this redirect-all-IPv6-over-the-wireguard-vpn biz working. as usual, in retrospect it's a relatively trivial setup; far less 'opaque' & finicky than openvpn, ime. so, still possible I've fubar'd something; not jumping out at me, atm, tho. when you suggest "by default Shorewall6 will configure", is that indeed by out-of-the-box default, not requiring ANY rules/shorewall.conf/etc/etc? _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
