CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2020/12/20 14:15:47
Modified files:
sys/netinet : ip_icmp.c ip_icmp.h ip_output.c tcp_timer.c
Log message:
Accept reject and blackhole routes for IPsec PMTU discovery.
Since revision 1.87 of ip_icmp.c icmp_mtudisc_clone() ignored reject
routes. Otherwise TCP would clone these routes for PMTU discovery.
They will not work, even after dynamic routing has found a better
route than the reject route.
With IPsec the use case is different. First you need a route, but
then the flow handles the packet without routing. Usually this
route should be a reject route to avoid sending unencrypted traffic
if the flow is missing. But IPsec needs this route for PMTU
discovery, so use it for that.
OK claudio@ tobhe@
