implement PMTU checks from

        http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html
i.e. don't act on ICMP-need-frag immediately if adhoc checks on the
advertised mtu fail.  the mtu update is delayed until a tcp retransmit
happens.  initial patch by Fernando Gont, tested by many.

1 files changed, 8 insertions, 2 deletions

diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index e19d623de96..d36f60dac3c 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tcp_output.c,v 1.78 2005/05/24 00:02:37 fgont Exp $	*/
+/*	$OpenBSD: tcp_output.c,v 1.79 2005/06/30 08:51:31 markus Exp $	*/
 /*	$NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $	*/
 
 /*
@@ -214,7 +214,7 @@ tcp_output(tp)
 	struct mbuf *m;
 	struct tcphdr *th;
 	u_char opt[MAX_TCPOPTLEN];
-	unsigned int optlen, hdrlen;
+	unsigned int optlen, hdrlen, packetlen;
 	int idle, sendalot = 0;
 #ifdef TCP_SACK
 	int i, sack_rxmit = 0;
@@ -1073,6 +1073,7 @@ send:
 
 			ip = mtod(m, struct ip *);
 			ip->ip_len = htons(m->m_pkthdr.len);
+			packetlen = m->m_pkthdr.len;
 			ip->ip_ttl = tp->t_inpcb->inp_ip.ip_ttl;
 			ip->ip_tos = tp->t_inpcb->inp_ip.ip_tos;
 #ifdef TCP_ECN
@@ -1095,6 +1096,7 @@ send:
 			ip6 = mtod(m, struct ip6_hdr *);
 			ip6->ip6_plen = m->m_pkthdr.len -
 				sizeof(struct ip6_hdr);
+			packetlen = m->m_pkthdr.len;
 			ip6->ip6_nxt = IPPROTO_TCP;
 			ip6->ip6_hlim = in6_selecthlim(tp->t_inpcb, NULL);
 #ifdef TCP_ECN
@@ -1147,6 +1149,10 @@ out:
 
 		return (error);
 	}
+	
+	if (packetlen > tp->t_pmtud_mtu_sent)
+		tp->t_pmtud_mtu_sent = packetlen;
+	
 	tcpstat.tcps_sndtotal++;
 	if (tp->t_flags & TF_DELACK)
 		tcpstat.tcps_delack++;