Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 24 Sep 2021 08:28:31 GMT
From:      Wojciech Macek <wma@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
Subject:   git: b4220bf387e6 - main - ipsec: If no PMTU in hostcache assume it's equal to link's MTU
Message-ID:  <202109240828.18O8SVQY075267@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch main has been updated by wma:

URL: https://cgit.FreeBSD.org/src/commit/?id=b4220bf387e62f59d73308f122f5eea887a59d58

commit b4220bf387e62f59d73308f122f5eea887a59d58
Author:     Bartlomiej Grzesik <bag@semihalf.com>
AuthorDate: 2021-09-24 08:25:53 +0000
Commit:     Wojciech Macek <wma@FreeBSD.org>
CommitDate: 2021-09-24 08:25:53 +0000

    ipsec: If no PMTU in hostcache assume it's equal to link's MTU
    
    If we fail to find to PMTU in hostcache, we assume it's equal
    to link's MTU.
    
    This patch prevents packets larger then link's MTU to be dropped
    silently if there is no PMTU in hostcache.
    
    Differential revision:  https://reviews.freebsd.org/D31770
    Obtained from:          Semihalf
    Sponsored by:           Stormshield
---
 sys/netipsec/ipsec_output.c | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 50bbd72f0589..c4e34665b8f5 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -352,15 +352,29 @@ setdf:
 
 	key_freesav(&sav);
 	pmtu = tcp_hc_getmtu(&inc);
-	/* No entry in hostcache. */
-	if (pmtu == 0)
-		return (0);
+	/* No entry in hostcache. Use link MTU instead. */
+	if (pmtu == 0) {
+		switch (dst->sa.sa_family) {
+		case AF_INET:
+			pmtu = tcp_maxmtu(&inc, NULL);
+			break;
+#ifdef INET6
+		case AF_INET6:
+			pmtu = tcp_maxmtu6(&inc, NULL);
+			break;
+#endif
+		}
+		if (pmtu == 0)
+			return (0);
+
+		tcp_hc_updatemtu(&inc, pmtu);
+	}
 
 	hlen = ipsec_hdrsiz_internal(sp);
 	if (m_length(m, NULL) + hlen > pmtu) {
 		/*
 		 * If we're forwarding generate ICMP message here,
-		 * so that it contains pmtu and not link mtu.
+		 * so that it contains pmtu substraced by header size.
 		 * Set error to EINPROGRESS, in order for the frame
 		 * to be dropped silently.
 		 */

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109240828.18O8SVQY075267>