From 89de4c798c8a4662405a390fcbdd22fbde0f69b0 Mon Sep 17 00:00:00 2001 From: bluhm Date: Mon, 1 Feb 2021 13:25:04 +0000 Subject: [PATCH] Fix path MTU discovery for ESP tunneled in IPv6. We always want short TCP segments or fragments encapsulated in ESP instead of fragmented ESP packets. Pass the don't fragment flag down along the stack so that dynamic routes with MTU are created eventually. with and OK markus@; OK tobhe@ --- sys/netinet/ip_output.c | 5 ++++- sys/netinet6/ip6_output.c | 9 ++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 648819c33d6..aff08bae028 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.361 2021/01/16 07:58:12 claudio Exp $ */ +/* $OpenBSD: ip_output.c,v 1.362 2021/02/01 13:25:04 bluhm Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -625,6 +625,9 @@ ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route *ro, int fwd) m_freem(m); return EMSGSIZE; } + /* propagate IP_DF for v4-over-v6 */ + if (ip_mtudisc && ip->ip_off & htons(IP_DF)) + SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT); /* * Clear these -- they'll be set in the recursive invocation diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index e0889c93a2d..2cc065e5f0a 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.250 2021/02/01 12:08:50 bluhm Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.251 2021/02/01 13:25:04 bluhm Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -682,6 +682,10 @@ reroute: else dontfrag = 0; if (dontfrag && tlen > ifp->if_mtu) { /* case 2-b */ +#ifdef IPSEC + if (ip_mtudisc) + ipsec_adjust_mtu(m, mtu); +#endif error = EMSGSIZE; goto bad; } @@ -2851,6 +2855,9 @@ ip6_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route_in6 *ro, m_freem(m); return EMSGSIZE; } + /* propagate don't fragment for v6-over-v6 */ + if (ip_mtudisc) + SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT); /* * Clear these -- they'll be set in the recursive invocation -- 2.20.1