From owner-dev-commits-src-main@freebsd.org Fri Sep 24 08:28:32 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2ECAE66899C; Fri, 24 Sep 2021 08:28:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HG4tS0hwYz4XJT; Fri, 24 Sep 2021 08:28:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E8D2D135BE; Fri, 24 Sep 2021 08:28:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 18O8SVQJ075268; Fri, 24 Sep 2021 08:28:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 18O8SVQY075267; Fri, 24 Sep 2021 08:28:31 GMT (envelope-from git) Date: Fri, 24 Sep 2021 08:28:31 GMT Message-Id: <202109240828.18O8SVQY075267@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Wojciech Macek Subject: git: b4220bf387e6 - main - ipsec: If no PMTU in hostcache assume it's equal to link's MTU MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: wma X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b4220bf387e62f59d73308f122f5eea887a59d58 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Sep 2021 08:28:32 -0000 The branch main has been updated by wma: URL: https://cgit.FreeBSD.org/src/commit/?id=b4220bf387e62f59d73308f122f5eea887a59d58 commit b4220bf387e62f59d73308f122f5eea887a59d58 Author: Bartlomiej Grzesik AuthorDate: 2021-09-24 08:25:53 +0000 Commit: Wojciech Macek CommitDate: 2021-09-24 08:25:53 +0000 ipsec: If no PMTU in hostcache assume it's equal to link's MTU If we fail to find to PMTU in hostcache, we assume it's equal to link's MTU. This patch prevents packets larger then link's MTU to be dropped silently if there is no PMTU in hostcache. Differential revision: https://reviews.freebsd.org/D31770 Obtained from: Semihalf Sponsored by: Stormshield --- sys/netipsec/ipsec_output.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 50bbd72f0589..c4e34665b8f5 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -352,15 +352,29 @@ setdf: key_freesav(&sav); pmtu = tcp_hc_getmtu(&inc); - /* No entry in hostcache. */ - if (pmtu == 0) - return (0); + /* No entry in hostcache. Use link MTU instead. */ + if (pmtu == 0) { + switch (dst->sa.sa_family) { + case AF_INET: + pmtu = tcp_maxmtu(&inc, NULL); + break; +#ifdef INET6 + case AF_INET6: + pmtu = tcp_maxmtu6(&inc, NULL); + break; +#endif + } + if (pmtu == 0) + return (0); + + tcp_hc_updatemtu(&inc, pmtu); + } hlen = ipsec_hdrsiz_internal(sp); if (m_length(m, NULL) + hlen > pmtu) { /* * If we're forwarding generate ICMP message here, - * so that it contains pmtu and not link mtu. + * so that it contains pmtu substraced by header size. * Set error to EINPROGRESS, in order for the frame * to be dropped silently. */