When doing IP forwarding with [FAST_]IPSEC compiled into the kernel

ip_forward() would report back a zero MTU in ICMP needfrag messages because on a IPSEC SP lookup failure no MTU got computed. Fix this by changing the logic to compute a new MTU in any case if IPSEC didn't do it. Change MTU computation logic to use egress interface MTU if available or the next smaller MTU compared to the current packet size instead of falling back to a very small fixed MTU. Fix associated comment. PR: kern/91412 MFC after: 3 days
2006-01-24 17:57:19 +00:00 · 2006-01-24 17:57:19 +00:00 · ab48768b20
commit ab48768b20
parent 1dec73a153
1 changed files with 10 additions and 8 deletions
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@ -1517,17 +1517,19 @@ ip_forward(struct mbuf *m, int srcrt)
 #endif
 				ipstat.ips_cantfrag++;
 				break;
-			} else 
+			}
 #endif /*IPSEC || FAST_IPSEC*/
 		/*
-		 * When doing source routing 'ia' can be NULL.  Fall back
-		 * to the minimum guaranteed routeable packet size and use
-		 * the same hack as IPSEC to setup a dummyifp for icmp.
+		 * If the MTU wasn't set before use the interface mtu or
+		 * fall back to the next smaller mtu step compared to the
+		 * current packet size.
 		 */
-		if (ia == NULL)
-			mtu = IP_MSS;
-		else
-			mtu = ia->ia_ifp->if_mtu;
+		if (mtu == 0) {
+			if (ia != NULL)
+				mtu = ia->ia_ifp->if_mtu;
+			else
+				mtu = ip_next_mtu(ip->ip_len, 0);
+		}
 #if defined(IPSEC) || defined(FAST_IPSEC)
 		}
 #endif /*IPSEC || FAST_IPSEC*/