ICMP handling not as expected with TPROXY causes PMTUd failure on Red Hat Enterprise Linux 6

Solution Verified - Updated -

Issue

  • The ICMP destination unreachable errors corresponding to transparent TCP connections are not being processed by the TCP stack. They are simply routed through. This causes TCP Path MTU Discovery (PMTUd) to fail because it relies on processing of "ICMP Destination Unreachable Fragmentation Needed/Do-Not-Fragment Set" error. This ultimately causes application data transfer failure.

    Server> iptables -t mangle -nL
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination       
DIVERT    tcp  --  0.0.0.0/0            0.0.0.0/0          socket
ACCEPT    all  --  0.0.0.0/0            10.0.220.1         
TPROXY    tcp  --  0.0.0.0/0            0.0.0.0/0          TPROXY redirect 172.16.1.215:4102 mark 0x9/0xffffffff
TPROXY    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 TPROXY redirect 172.16.1.215:4101 mark 0x9/0xffffffff

Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination

Chain DIVERT (1 references)
target    prot opt source              destination       
MARK      all  --  0.0.0.0/0            0.0.0.0/0          MARK set 0x9
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0





Server> ip rule show
0:     from all lookup local 
32764:     from all fwmark 0x9 iif eth1 lookup 9 
32765:     from all fwmark 0x9 iif eth0 lookup 9 
32766:     from all lookup main 
32767:     from all lookup default



Server> ip route show table 9
local default dev lo  scope host



Router> tcpdump -nneti eth1 icmp or tcp port 3032
large packet sent by the server:
00:1a:a0:36:43:d4 > 00:e0:81:73:1e:0f, ethertype IPv4 (0x0800), length 1466:
172.16.22.215.3032 > 10.0.4.211.48667: Flags [P.], seq 5:1405, ack 1405, win 17,
options [nop,nop,TS val 2980158344 ecr 3051678126], length 1400

gateway replies with ICMP unreachable - need to frag:
00:e0:81:73:1e:0f > 00:1a:a0:36:43:d4, ethertype IPv4 (0x0800), length 590:
172.16.2.16 > 172.16.22.215: ICMP 10.0.4.211 unreachable - need to frag (mtu 1000),
length 556

server ignores it and send the same large packet again:
00:1a:a0:36:43:d4 > 00:e0:81:73:1e:0f, ethertype IPv4 (0x0800), length 1466:
172.16.22.215.3032 > 10.0.4.211.48667: Flags [P.], seq 5:1405, ack 1405, win 17,
options [nop,nop,TS val 2980158545 ecr 3051678126], length 1400

again the gateway replies with ICMP unreachable - need to frag:
00:e0:81:73:1e:0f > 00:1a:a0:36:43:d4, ethertype IPv4 (0x0800), length 590:
172.16.2.16 > 172.16.22.215: ICMP 10.0.4.211 unreachable - need to frag (mtu 1000),
length 556

Environment

  • Red Hat Enterprise Linux 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content