From: bluhm Date: Mon, 1 Feb 2021 13:25:04 +0000 (+0000) Subject: Fix path MTU discovery for ESP tunneled in IPv6. We always want X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=89de4c798c8a4662405a390fcbdd22fbde0f69b0;p=openbsd Fix path MTU discovery for ESP tunneled in IPv6. We always want short TCP segments or fragments encapsulated in ESP instead of fragmented ESP packets. Pass the don't fragment flag down along the stack so that dynamic routes with MTU are created eventually. with and OK markus@; OK tobhe@ --- diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 648819c33d6..aff08bae028 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.361 2021/01/16 07:58:12 claudio Exp $ */ +/* $OpenBSD: ip_output.c,v 1.362 2021/02/01 13:25:04 bluhm Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -625,6 +625,9 @@ ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route *ro, int fwd) m_freem(m); return EMSGSIZE; } + /* propagate IP_DF for v4-over-v6 */ + if (ip_mtudisc && ip->ip_off & htons(IP_DF)) + SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT); /* * Clear these -- they'll be set in the recursive invocation diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index e0889c93a2d..2cc065e5f0a 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.250 2021/02/01 12:08:50 bluhm Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.251 2021/02/01 13:25:04 bluhm Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -682,6 +682,10 @@ reroute: else dontfrag = 0; if (dontfrag && tlen > ifp->if_mtu) { /* case 2-b */ +#ifdef IPSEC + if (ip_mtudisc) + ipsec_adjust_mtu(m, mtu); +#endif error = EMSGSIZE; goto bad; } @@ -2851,6 +2855,9 @@ ip6_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route_in6 *ro, m_freem(m); return EMSGSIZE; } + /* propagate don't fragment for v6-over-v6 */ + if (ip_mtudisc) + SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT); /* * Clear these -- they'll be set in the recursive invocation