aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec/ipsec.c
diff options
context:
space:
mode:
authorWojciech Macek <wma@FreeBSD.org>2021-08-09 10:01:46 +0000
committerWojciech Macek <wma@FreeBSD.org>2021-08-09 10:01:46 +0000
commitd9d59bb1af142e7575032dd6c51fc64580de84df (patch)
tree2a182f1ac945167eaf7982040ef046b488291675 /sys/netipsec/ipsec.c
parenta8d54fc903cca354572ddd7a890baefd81baa7e8 (diff)
downloadsrc-d9d59bb1af142e7575032dd6c51fc64580de84df.tar.gz
src-d9d59bb1af142e7575032dd6c51fc64580de84df.zip
ipsec: Handle ICMP NEEDFRAG message.
It will be needed for upcoming PMTU implementation in ipsec. For now simply create/update an entry in tcp hostcache when needed. The code is based on https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff Authored by: Kornel Duleba <mindal@semihalf.com> Differential revision: https://reviews.freebsd.org/D30992 Reviewed by: tuxen Sponsored by: Stormshield Obtained from: Semihalf
Diffstat (limited to 'sys/netipsec/ipsec.c')
-rw-r--r--sys/netipsec/ipsec.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index cd24750607ea..dcc607a5b617 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -112,6 +112,7 @@ VNET_PCPUSTAT_SYSUNINIT(ipsec4stat);
/* DF bit on encap. 0: clear 1: set 2: copy */
VNET_DEFINE(int, ip4_ipsec_dfbit) = 0;
+VNET_DEFINE(int, ip4_ipsec_min_pmtu) = 576;
VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE;
VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE;
VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE;
@@ -196,6 +197,9 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos,
SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0,
"Do not fragment bit on encap.");
+SYSCTL_INT(_net_inet_ipsec, IPSECCTL_MIN_PMTU, min_pmtu,
+ CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_min_pmtu), 0,
+ "Lowest acceptable PMTU value.");
SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0,
"Explicit Congestion Notification handling.");