Hello, On 04.08.2016 08:20, Alexander Heinlein wrote: > I would like to know why ip_tunnel_ioctl() enforces the DF bit whenever > the tunnel device has a fixed TTL set. The same restriction is enforced > by iproute2 (iptunnel.c and link_iptnl.c). > > Ideally I would like to use an IPIP tunnel with a fixed TTL but no DF > bit set. Otherwise for non-TCP packets that are larger than the PMTU > size the kernel will send ICMP packets to end systems. However these > ICMP packets are ignored by the end system since the original packets > didn't have the DF bit set. As a result, non-TCP packets larger than the > PMTU are being dropped.
It should prevent endless loops. Imagine you have a packet looping into the tunnel again somehow because of broken network setup: the tie breaker normally is the TTL, so if it reaches zero, the packet gets dropped. You can do the same with the packet size. So you add yet another tunnel header, until you can't forward it anymore and thus drop the packet, too. If you don't use any of those tie breakers you are vulnerable to network outages. Bye, Hannes
