Fix path MTU discovery for ESP tunneled in IPv6. We always want

short TCP segments or fragments encapsulated in ESP instead of
fragmented ESP packets.  Pass the don't fragment flag down along
the stack so that dynamic routes with MTU are created eventually.
with and OK markus@; OK tobhe@

2 files changed, 12 insertions, 2 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 648819c33d6..aff08bae028 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.361 2021/01/16 07:58:12 claudio Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.362 2021/02/01 13:25:04 bluhm Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -625,6 +625,9 @@ ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route *ro, int fwd)
 		m_freem(m);
 		return EMSGSIZE;
 	}
+	/* propagate IP_DF for v4-over-v6 */
+	if (ip_mtudisc && ip->ip_off & htons(IP_DF))
+		SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT);
 
 	/*
 	 * Clear these -- they'll be set in the recursive invocation
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index e0889c93a2d..2cc065e5f0a 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.250 2021/02/01 12:08:50 bluhm Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.251 2021/02/01 13:25:04 bluhm Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -682,6 +682,10 @@ reroute:
 	else
 		dontfrag = 0;
 	if (dontfrag && tlen > ifp->if_mtu) {	/* case 2-b */
+#ifdef IPSEC
+		if (ip_mtudisc)
+			ipsec_adjust_mtu(m, mtu);
+#endif
 		error = EMSGSIZE;
 		goto bad;
 	}
@@ -2851,6 +2855,9 @@ ip6_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route_in6 *ro,
 		m_freem(m);
 		return EMSGSIZE;
 	}
+	/* propagate don't fragment for v6-over-v6 */
+	if (ip_mtudisc)
+		SET(m->m_pkthdr.csum_flags, M_IPV6_DF_OUT);
 
 	/*
 	 * Clear these -- they'll be set in the recursive invocation