diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-12-20 21:15:48 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2020-12-20 21:15:48 +0000 |
| commit | 34f1d073a51b62377a2a1cd410596d7b9658032a (patch) | |
| tree | a608a0e24e6cbe509300963478f7db65d7b75f49 /sys | |
| parent | 0368ff634761a7f459c9e4416ed8490bec2c6d0d (diff) | |
Accept reject and blackhole routes for IPsec PMTU discovery.
Since revision 1.87 of ip_icmp.c icmp_mtudisc_clone() ignored reject
routes. Otherwise TCP would clone these routes for PMTU discovery.
They will not work, even after dynamic routing has found a better
route than the reject route.
With IPsec the use case is different. First you need a route, but
then the flow handles the packet without routing. Usually this
route should be a reject route to avoid sending unencrypted traffic
if the flow is missing. But IPsec needs this route for PMTU
discovery, so use it for that.
OK claudio@ tobhe@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/ip_icmp.c | 11 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.h | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 4 | ||||
| -rw-r--r-- | sys/netinet/tcp_timer.c | 4 |
4 files changed, 13 insertions, 10 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 8a162c0ecde..5deaa3822a8 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.c,v 1.183 2020/08/22 17:55:54 gnezdo Exp $ */ +/* $OpenBSD: ip_icmp.c,v 1.184 2020/12/20 21:15:47 bluhm Exp $ */ /* $NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $ */ /* @@ -928,7 +928,7 @@ icmp_sysctl_icmpstat(void *oldp, size_t *oldlenp, void *newp) } struct rtentry * -icmp_mtudisc_clone(struct in_addr dst, u_int rtableid) +icmp_mtudisc_clone(struct in_addr dst, u_int rtableid, int ipsec) { struct sockaddr_in sin; struct rtentry *rt; @@ -942,7 +942,10 @@ icmp_mtudisc_clone(struct in_addr dst, u_int rtableid) rt = rtalloc(sintosa(&sin), RT_RESOLVE, rtableid); /* Check if the route is actually usable */ - if (!rtisvalid(rt) || (rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE))) + if (!rtisvalid(rt)) + goto bad; + /* IPsec needs the route only for PMTU, it can use reject for that */ + if (!ipsec && (rt->rt_flags & (RTF_REJECT|RTF_BLACKHOLE))) goto bad; /* @@ -1000,7 +1003,7 @@ icmp_mtudisc(struct icmp *icp, u_int rtableid) struct ifnet *ifp; u_long mtu = ntohs(icp->icmp_nextmtu); /* Why a long? IPv6 */ - rt = icmp_mtudisc_clone(icp->icmp_ip.ip_dst, rtableid); + rt = icmp_mtudisc_clone(icp->icmp_ip.ip_dst, rtableid, 0); if (rt == NULL) return; diff --git a/sys/netinet/ip_icmp.h b/sys/netinet/ip_icmp.h index 7f844df30d4..9c0d76ec3b9 100644 --- a/sys/netinet/ip_icmp.h +++ b/sys/netinet/ip_icmp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_icmp.h,v 1.31 2018/11/05 21:50:39 claudio Exp $ */ +/* $OpenBSD: ip_icmp.h,v 1.32 2020/12/20 21:15:47 bluhm Exp $ */ /* $NetBSD: ip_icmp.h,v 1.10 1996/02/13 23:42:28 christos Exp $ */ /* @@ -239,7 +239,7 @@ int icmp_reflect(struct mbuf *, struct mbuf **, struct in_ifaddr *); void icmp_send(struct mbuf *, struct mbuf *); int icmp_sysctl(int *, u_int, void *, size_t *, void *, size_t); struct rtentry * - icmp_mtudisc_clone(struct in_addr, u_int); + icmp_mtudisc_clone(struct in_addr, u_int, int); void icmp_mtudisc(struct icmp *, u_int); int icmp_do_exthdr(struct mbuf *, u_int16_t, u_int8_t, void *, size_t); #endif /* _KERNEL */ diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 788f47da48d..c7db8c28e2e 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.357 2020/06/24 22:03:43 cheloha Exp $ */ +/* $OpenBSD: ip_output.c,v 1.358 2020/12/20 21:15:47 bluhm Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -605,7 +605,7 @@ ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route *ro, int fwd) rt = NULL; else if (rt == NULL || (rt->rt_flags & RTF_HOST) == 0) { rt = icmp_mtudisc_clone(ip->ip_dst, - m->m_pkthdr.ph_rtableid); + m->m_pkthdr.ph_rtableid, 1); rt_mtucloned = 1; } DPRINTF(("%s: spi %08x mtu %d rt %p cloned %d\n", __func__, diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c index f2e4a4a77b8..5f3ffdf40fe 100644 --- a/sys/netinet/tcp_timer.c +++ b/sys/netinet/tcp_timer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_timer.c,v 1.67 2018/06/11 07:40:26 bluhm Exp $ */ +/* $OpenBSD: tcp_timer.c,v 1.68 2020/12/20 21:15:47 bluhm Exp $ */ /* $NetBSD: tcp_timer.c,v 1.14 1996/02/13 23:44:09 christos Exp $ */ /* @@ -292,7 +292,7 @@ tcp_timer_rexmt(void *arg) #endif case PF_INET: rt = icmp_mtudisc_clone(inp->inp_faddr, - inp->inp_rtableid); + inp->inp_rtableid, 0); break; } if (rt != NULL) { |