ipsec: Add support for PMTUD for IPv6 tunnels

Discard and send ICMPv6 Packet Too Big to sender when we try to encapsulate
and forward a packet which total length exceeds the PMTU.
Logic is based on the IPv4 implementation.
Common code was moved to a separate function.

Differential revision:	https://reviews.freebsd.org/D31771
Obtained from:		Semihalf
Sponsored by:		Stormshield

sys/netipsec/ipsec6.h

@@ -74,6 +74,7 @@ int ipsec6_output(struct mbuf *, struct inpcb *);
 int ipsec6_capability(struct mbuf *, u_int);
 int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int);
 int ipsec6_ctlinput(int, struct sockaddr *, void *);
+int ipsec6_check_pmtu(struct mbuf *, struct secpolicy *, int);
 int ipsec6_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *);
 
 int ip6_ipsec_filtertunnel(struct mbuf *);

sys/netipsec/ipsec_output.c

@@ -106,6 +106,7 @@
 } while (0)
 
 static int ipsec_encap(struct mbuf **mp, struct secasindex *saidx);
+static size_t ipsec_get_pmtu(struct secasvar *sav);
 
 #ifdef INET
 static struct secasvar *
@@ -297,8 +298,6 @@ ipsec4_process_packet(struct mbuf *m, struct secpolicy *sp,
 int
 ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
 {
-	union sockaddr_union *dst;
-	struct in_conninfo inc;
 	struct secasvar *sav;
 	struct ip *ip;
 	size_t hlen, pmtu;
@@ -333,44 +332,15 @@ ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
 		return (error);
 	}
 
-	dst = &sav->sah->saidx.dst;
-	memset(&inc, 0, sizeof(inc));
-	switch (dst->sa.sa_family) {
-	case AF_INET:
-		inc.inc_faddr = satosin(&dst->sa)->sin_addr;
-		break;
-#ifdef INET6
-	case AF_INET6:
-		inc.inc6_faddr = satosin6(&dst->sa)->sin6_addr;
-		inc.inc_flags |= INC_ISIPV6;
-		break;
-#endif
-	default:
+	pmtu = ipsec_get_pmtu(sav);
+	if (pmtu == 0) {
 		key_freesav(&sav);
 		return (0);
 	}
 
-	key_freesav(&sav);
-	pmtu = tcp_hc_getmtu(&inc);
-	/* No entry in hostcache. Use link MTU instead. */
-	if (pmtu == 0) {
-		switch (dst->sa.sa_family) {
-		case AF_INET:
-			pmtu = tcp_maxmtu(&inc, NULL);
-			break;
-#ifdef INET6
-		case AF_INET6:
-			pmtu = tcp_maxmtu6(&inc, NULL);
-			break;
-#endif
-		}
-		if (pmtu == 0)
-			return (0);
-
-		tcp_hc_updatemtu(&inc, pmtu);
-	}
-
 	hlen = ipsec_hdrsiz_internal(sp);
+	key_freesav(&sav);
+
 	if (m_length(m, NULL) + hlen > pmtu) {
 		/*
 		 * If we're forwarding generate ICMP message here,
@@ -720,6 +690,72 @@ ipsec6_process_packet(struct mbuf *m, struct secpolicy *sp,
 	return (ipsec6_perform_request(m, sp, inp, 0));
 }
 
+/*
+ * IPv6 implementation is based on IPv4 implementation.
+ */
+int
+ipsec6_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
+{
+	struct secasvar *sav;
+	size_t hlen, pmtu;
+	uint32_t idx;
+	int error;
+
+	/*
+	 * According to RFC8200 L3 fragmentation is supposed to be done only on
+	 * locally generated packets. During L3 forwarding packets that are too
+	 * big are always supposed to be dropped, with an ICMPv6 packet being
+	 * sent back.
+	 */
+	if (!forwarding)
+		return (0);
+
+	idx = sp->tcount - 1;
+	sav = ipsec6_allocsa(m, sp, &idx, &error);
+	if (sav == NULL) {
+		key_freesp(&sp);
+		/*
+		 * No matching SA was found and SADB_ACQUIRE message was generated.
+		 * Since we have matched a SP to this packet drop it silently.
+		 */
+		if (error == 0)
+			error = EINPROGRESS;
+		if (error != EJUSTRETURN)
+			m_freem(m);
+
+		return (error);
+	}
+
+	pmtu = ipsec_get_pmtu(sav);
+	if (pmtu == 0) {
+		key_freesav(&sav);
+		return (0);
+	}
+
+	hlen = ipsec_hdrsiz_internal(sp);
+	key_freesav(&sav);
+
+	if (m_length(m, NULL) + hlen > pmtu) {
+		/*
+		 * If we're forwarding generate ICMPv6 message here,
+		 * so that it contains pmtu substracted by header size.
+		 * Set error to EINPROGRESS, in order for the frame
+		 * to be dropped silently.
+		 */
+		if (forwarding) {
+			if (pmtu > hlen)
+				icmp6_error(m, ICMP6_PACKET_TOO_BIG, 0, pmtu - hlen);
+			else
+				m_freem(m);
+
+			key_freesp(&sp);
+			return (EINPROGRESS); /* Pretend that we consumed it. */
+		}
+	}
+
+	return (0);
+}
+
 static int
 ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
 {
@@ -766,6 +802,15 @@ ipsec6_common_output(struct mbuf *m, struct inpcb *inp, int forwarding)
 		}
 #endif
 	}
+
+	error = ipsec6_check_pmtu(m, sp, forwarding);
+	if (error != 0) {
+		if (error == EJUSTRETURN)
+			return (0);
+
+		return (error);
+	}
+
 	/* NB: callee frees mbuf and releases reference to SP */
 	error = ipsec6_process_packet(m, sp, inp);
 	if (error == EJUSTRETURN) {
@@ -1001,6 +1046,59 @@ ipsec_prepend(struct mbuf *m, int len, int how)
 	return (n);
 }
 
+static size_t
+ipsec_get_pmtu(struct secasvar *sav)
+{
+	union sockaddr_union *dst;
+	struct in_conninfo inc;
+	size_t pmtu;
+
+	dst = &sav->sah->saidx.dst;
+	memset(&inc, 0, sizeof(inc));
+
+	switch (dst->sa.sa_family) {
+#ifdef INET
+	case AF_INET:
+		inc.inc_faddr = satosin(&dst->sa)->sin_addr;
+		break;
+#endif
+#ifdef INET6
+	case AF_INET6:
+		inc.inc6_faddr = satosin6(&dst->sa)->sin6_addr;
+		inc.inc_flags |= INC_ISIPV6;
+		break;
+#endif
+	default:
+		return (0);
+	}
+
+	pmtu = tcp_hc_getmtu(&inc);
+	if (pmtu != 0)
+		return (pmtu);
+
+	/* No entry in hostcache. Assume that PMTU is equal to link's MTU */
+	switch (dst->sa.sa_family) {
+#ifdef INET
+	case AF_INET:
+		pmtu = tcp_maxmtu(&inc, NULL);
+		break;
+#endif
+#ifdef INET6
+	case AF_INET6:
+		pmtu = tcp_maxmtu6(&inc, NULL);
+		break;
+#endif
+	default:
+		return (0);
+	}
+	if (pmtu == 0)
+		return (0);
+
+	tcp_hc_updatemtu(&inc, pmtu);
+
+	return (pmtu);
+}
+
 static int
 ipsec_encap(struct mbuf **mp, struct secasindex *saidx)
 {