Page MenuHomeFreeBSD
Files F115913632

D30993.diff
No OneTemporary
Actions

D30993.diff
View Options

diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -332,6 +332,7 @@
int ipsec_updatereplay(uint32_t, struct secasvar *);
int ipsec_updateid(struct secasvar *, crypto_session_t *, crypto_session_t *);
int ipsec_initialized(void);
+size_t ipsec_hdrsiz_internal(struct secpolicy *);
void ipsec_setspidx_inpcb(struct inpcb *, struct secpolicyindex *, u_int);
@@ -345,6 +346,7 @@
int ipsec4_capability(struct mbuf *, u_int);
int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
int ipsec4_ctlinput(int, struct sockaddr *, void *);
+int ipsec4_check_pmtu(struct mbuf *, struct secpolicy *, int);
int ipsec4_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *);
int ipsec_process_done(struct mbuf *, struct secpolicy *, struct secasvar *,
u_int);
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -1093,7 +1093,7 @@
* Compute the byte size to be occupied by IPsec header.
* In case it is tunnelled, it includes the size of outer IP header.
*/
-static size_t
+size_t
ipsec_hdrsiz_internal(struct secpolicy *sp)
{
size_t size;
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -61,6 +61,8 @@
#ifdef INET6
#include <netinet6/ip6_ecn.h>
#endif
+#include <netinet/ip_icmp.h>
+#include <netinet/tcp_var.h>
#include <netinet/ip6.h>
#ifdef INET6
@@ -292,6 +294,83 @@
return (ipsec4_perform_request(m, sp, inp, 0));
}
+int
+ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
+{
+ union sockaddr_union *dst;
+ struct in_conninfo inc;
+ struct secasvar *sav;
+ struct ip *ip;
+ size_t hlen, pmtu;
+ uint32_t idx;
+ int error;
+
+
+ /* Don't check PMTU if the frame won't have DF bit set. */
+ if (!V_ip4_ipsec_dfbit)
+ return (0);
+ if (V_ip4_ipsec_dfbit == 1)
+ goto setdf;
+
+ /* V_ip4_ipsec_dfbit > 1 - we will copy it from inner header. */
+ ip = mtod(m, struct ip *);
+ if (!(ip->ip_off & htons(IP_DF)))
+ return (0);
+
+setdf:
+ idx = sp->tcount - 1;
+ sav = ipsec4_allocsa(m, sp, &idx, &error);
+ if (sav == NULL) {
+ key_freesp(&sp);
+ if (error != EJUSTRETURN)
+ m_freem(m);
+
+ return (error);
+ }
+
+ dst = &sav->sah->saidx.dst;
+
+ /* Final header is not ipv4. */
+ if (dst->sa.sa_family != AF_INET) {
+ key_freesav(&sav);
+ return (0);
+ }
+
+ memset(&inc, 0, sizeof(inc));
+ inc.inc_faddr = satosin(&dst->sa)->sin_addr;
+ key_freesav(&sav);
+ pmtu = tcp_hc_getmtu(&inc);
+ /* No entry in hostcache. */
+ if (pmtu == 0)
+ return (0);
+
+ hlen = ipsec_hdrsiz_internal(sp);
+ if (m_length(m, NULL) + hlen > pmtu) {
+ /*
+ * If we're forwarding generate ICMP message here,
+ * so that it contains pmtu and not link mtu.
+ * Set error to EINPROGRESS, in order for the frame
+ * to be dropped silently.
+ */
+ if (forwarding) {
+ if (pmtu > hlen)
+ icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG,
+ 0, pmtu - hlen);
+ else
+ m_freem(m);
+
+ key_freesp(&sp);
+ return (EINPROGRESS); /* Pretend that we consumed it. */
+ } else {
+ m_freem(m);
+ key_freesp(&sp);
+ return (EMSGSIZE);
+ }
+ }
+
+ return (0);
+}
+
static int
ipsec4_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
{
@@ -349,6 +428,14 @@
#endif
}
/* NB: callee frees mbuf and releases reference to SP */
+ error = ipsec4_check_pmtu(m, sp, forwarding);
+ if (error != 0) {
+ if (error == EJUSTRETURN)
+ return (0);
+
+ return (error);
+ }
+
error = ipsec4_process_packet(m, sp, inp);
if (error == EJUSTRETURN) {
/*

File Metadata

Mime Type
text/plain
Expires
Thu, May 1, 8:25 AM (8 h, 47 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
17877636
Default Alt Text
D30993.diff (3 KB)

Event Timeline