Re: FAST_IPSEC doesn't send ICMP frag needed

[David Young <dyoung%pobox.com@localhost>]

On Fri, Dec 20, 2013 at 12:11:26AM -0600, Dave Huang wrote:
> BTW, here's Beverly's change in patch form, updated for -current, plus
> a change that makes the ICMP frag needed contain the route MTU instead
> of interface MTU if there is one. (See my earlier message:
> <http://mail-index.netbsd.org/tech-net/2013/12/19/msg004418.html>). It
> also takes into account Beverly's comment that ipsec_hdrsiz returns a
> strange (meaning odd number) header length. I think this should be
> decreased until we have a multiple of 4." I'm assuming she meant that
> the header length should be *increased* to a multiple of 4 (so the
> reported MTU is decreased).
> 
> And since ip_forward() was already getting the MTU, I figure there's
> no need for ipsec4_forward() to do it again... especially since it
> doesn't actually work (sp->req->sav is NULL in ipsec4_forward()).
> 
> Index: netinet/ip_input.c
> ===================================================================
> RCS file: /cvsroot/src/sys/netinet/ip_input.c,v
> retrieving revision 1.308
> diff -u -r1.308 ip_input.c
> --- netinet/ip_input.c        29 Jun 2013 21:06:58 -0000      1.308
> +++ netinet/ip_input.c        20 Dec 2013 06:04:33 -0000
> @@ -1335,7 +1335,8 @@
>               code = ICMP_UNREACH_NEEDFRAG;
>  
>               if ((rt = rtcache_validate(&ipforward_rt)) != NULL)
> -                     destmtu = rt->rt_ifp->if_mtu;
> +                     destmtu = rt->rt_rmx.rmx_mtu ?
> +                         rt->rt_rmx.rmx_mtu : rt->rt_ifp->if_mtu;
>  #ifdef IPSEC
>               (void)ipsec4_forward(mcopy, &destmtu);
>  #endif

I think this part of the patch is incorrect for the reasons described
by others in the "ICMP_UNREACH_NEEDFRAG returns iface MTU instead of
route?" thread on tech-net.

Dave

-- 
David Young
dyoung%pobox.com@localhost    Urbana, IL    (217) 721-9981