Hi,
This fixes path MTU discovery for ESP tunneled in IPv6. In IPv6
we always want short TCP segments or fragments encapsulated in ESP
instead off fragmented ESP packets.
ok?
bluhm
Index: netinet/ip_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.361
diff -u -p -r1.361 ip_output.c
--- netinet/ip_output.c 16 Jan 2021 07:58:12 -0000 1.361
+++ netinet/ip_output.c 29 Jan 2021 16:05:32 -0000
@@ -625,6 +625,9 @@ ip_output_ipsec_send(struct tdb *tdb, st
m_freem(m);
return EMSGSIZE;
}
+ /* propagate IP_DF for v4-over-v6 */
+ if (ip_mtudisc && ip->ip_off & htons(IP_DF))
+ SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT);
/*
* Clear these -- they'll be set in the recursive invocation
Index: netinet6/ip6_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.249
diff -u -p -r1.249 ip6_output.c
--- netinet6/ip6_output.c 11 Jan 2021 13:28:54 -0000 1.249
+++ netinet6/ip6_output.c 28 Jan 2021 18:53:24 -0000
@@ -681,6 +681,10 @@ reroute:
else
dontfrag = 0;
if (dontfrag && tlen > ifp->if_mtu) { /* case 2-b */
+#ifdef IPSEC
+ if (ip_mtudisc)
+ ipsec_adjust_mtu(m, mtu);
+#endif
error = EMSGSIZE;
goto bad;
}
@@ -2854,6 +2858,9 @@ ip6_output_ipsec_send(struct tdb *tdb, s
m_freem(m);
return EMSGSIZE;
}
+ /* propagate don't fragment for v6-over-v6 */
+ if (ip_mtudisc)
+ SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT);
/*
* Clear these -- they'll be set in the recursive invocation
