Commit b4220bf3 authored by Bartlomiej Grzesik's avatar Bartlomiej Grzesik Committed by Wojciech Macek
Browse files

ipsec: If no PMTU in hostcache assume it's equal to link's MTU

If we fail to find to PMTU in hostcache, we assume it's equal
to link's MTU.

This patch prevents packets larger then link's MTU to be dropped
silently if there is no PMTU in hostcache.

Differential revision:	https://reviews.freebsd.org/D31770
Obtained from:		Semihalf
Sponsored by:		Stormshield
parent 4f337695
......@@ -352,15 +352,29 @@ ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
key_freesav(&sav);
pmtu = tcp_hc_getmtu(&inc);
/* No entry in hostcache. */
if (pmtu == 0)
return (0);
/* No entry in hostcache. Use link MTU instead. */
if (pmtu == 0) {
switch (dst->sa.sa_family) {
case AF_INET:
pmtu = tcp_maxmtu(&inc, NULL);
break;
#ifdef INET6
case AF_INET6:
pmtu = tcp_maxmtu6(&inc, NULL);
break;
#endif
}
if (pmtu == 0)
return (0);
tcp_hc_updatemtu(&inc, pmtu);
}
hlen = ipsec_hdrsiz_internal(sp);
if (m_length(m, NULL) + hlen > pmtu) {
/*
* If we're forwarding generate ICMP message here,
* so that it contains pmtu and not link mtu.
* so that it contains pmtu substraced by header size.
* Set error to EINPROGRESS, in order for the frame
* to be dropped silently.
*/
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment