On Mon, Jun 21, 2021 at 09:40:06AM +0200, Alexandr Nedvedicky wrote:
> looks like there must be yet another code path, which
> enters the recursion.
Yes.
Do you use routing domains in pf? Do you have reject or blackhole
routes?
Please send:
- netstat -rn
- a description which routes are used for IPsec
- ipsecctl -s flow
- pf rules that affect rdomains or rtable.
I guess that path MTU discovery does not work in your case. It
recurses over tcp_mtudisc().
If it is a reject route, this check in icmp_mtudisc_clone() could
prevent that my fix works.
/* IPsec needs the route only for PMTU, it can use reject for that */
if (!ipsec && (rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE)))
goto bad;
Could you try this diff?
bluhm
Index: netinet/ip_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.371
diff -u -p -r1.371 ip_output.c
--- netinet/ip_output.c 12 May 2021 08:09:33 -0000 1.371
+++ netinet/ip_output.c 22 Jun 2021 12:19:31 -0000
@@ -482,7 +482,7 @@ sendit:
rtfree(ro->ro_rt);
ro->ro_tableid = orig_rtableid;
ro->ro_rt = icmp_mtudisc_clone(
- satosin(&ro->ro_dst)->sin_addr, ro->ro_tableid, 0);
+ satosin(&ro->ro_dst)->sin_addr, ro->ro_tableid, 1);
}
#endif
/*
