ipsec: If no PMTU in hostcache assume it's equal to link's MTU
If we fail to find to PMTU in hostcache, we assume it's equal to link's MTU. This patch prevents packets larger then link's MTU to be dropped silently if there is no PMTU in hostcache. Differential revision: https://reviews.freebsd.org/D31770 Obtained from: Semihalf Sponsored by: Stormshield
This commit is contained in:
parent
4f3376951d
commit
b4220bf387
@ -352,15 +352,29 @@ ipsec4_check_pmtu(struct mbuf *m, struct secpolicy *sp, int forwarding)
|
||||
|
||||
key_freesav(&sav);
|
||||
pmtu = tcp_hc_getmtu(&inc);
|
||||
/* No entry in hostcache. */
|
||||
/* No entry in hostcache. Use link MTU instead. */
|
||||
if (pmtu == 0) {
|
||||
switch (dst->sa.sa_family) {
|
||||
case AF_INET:
|
||||
pmtu = tcp_maxmtu(&inc, NULL);
|
||||
break;
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
pmtu = tcp_maxmtu6(&inc, NULL);
|
||||
break;
|
||||
#endif
|
||||
}
|
||||
if (pmtu == 0)
|
||||
return (0);
|
||||
|
||||
tcp_hc_updatemtu(&inc, pmtu);
|
||||
}
|
||||
|
||||
hlen = ipsec_hdrsiz_internal(sp);
|
||||
if (m_length(m, NULL) + hlen > pmtu) {
|
||||
/*
|
||||
* If we're forwarding generate ICMP message here,
|
||||
* so that it contains pmtu and not link mtu.
|
||||
* so that it contains pmtu substraced by header size.
|
||||
* Set error to EINPROGRESS, in order for the frame
|
||||
* to be dropped silently.
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user