FreeBSD Bugzilla – Attachment 210122 Details for
Bug 242744
IPSec in transport mode between FreeBSD hosts blackholes TCP traffic
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
net.inet.ipsec.trans.cleardf
cleardf.diff (text/plain), 2.38 KB, created by
Eugene Grosbein
on 2019-12-21 23:56:57 UTC
(
hide
)
Description:
net.inet.ipsec.trans.cleardf
Filename:
MIME Type:
Creator:
Eugene Grosbein
Created:
2019-12-21 23:56:57 UTC
Size:
2.38 KB
patch
obsolete
>Index: sys/netipsec/ipsec.c >=================================================================== >--- sys/netipsec/ipsec.c (revision 354348) >+++ sys/netipsec/ipsec.c (working copy) >@@ -112,6 +112,8 @@ > > /* DF bit on encap. 0: clear 1: set 2: copy */ > VNET_DEFINE(int, ip4_ipsec_dfbit) = 0; >+/* DF bit for transport mode 0: keep, 1: clear */ >+VNET_DEFINE(int, ip4_ipsec_trans_cleardf) = 0; > VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE; > VNET_DEFINE(int, ip4_esp_net_deflev) = IPSEC_LEVEL_USE; > VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE; >@@ -198,6 +200,9 @@ > SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn, > CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0, > "Explicit Congestion Notification handling."); >+SYSCTL_INT(_net_inet_ipsec, OID_AUTO, trans_cleardf, >+ CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_trans_cleardf), 0, >+ "Clear do not fragment bit for outgoing transport mode packets."); > SYSCTL_INT(_net_inet_ipsec, OID_AUTO, crypto_support, > CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(crypto_support), 0, > "Crypto driver selection."); >Index: sys/netipsec/ipsec.h >=================================================================== >--- sys/netipsec/ipsec.h (revision 354348) >+++ sys/netipsec/ipsec.h (working copy) >@@ -283,6 +283,7 @@ > VNET_DECLARE(int, ip4_ah_net_deflev); > VNET_DECLARE(int, ip4_ipsec_dfbit); > VNET_DECLARE(int, ip4_ipsec_ecn); >+VNET_DECLARE(int, ip4_ipsec_trans_cleardf); > VNET_DECLARE(int, crypto_support); > VNET_DECLARE(int, async_crypto); > VNET_DECLARE(int, natt_cksum_policy); >@@ -297,6 +298,7 @@ > #define V_ip4_ah_net_deflev VNET(ip4_ah_net_deflev) > #define V_ip4_ipsec_dfbit VNET(ip4_ipsec_dfbit) > #define V_ip4_ipsec_ecn VNET(ip4_ipsec_ecn) >+#define V_ip4_ipsec_trans_cleardf VNET(ip4_ipsec_trans_cleardf) > #define V_crypto_support VNET(crypto_support) > #define V_async_crypto VNET(async_crypto) > #define V_natt_cksum_policy VNET(natt_cksum_policy) >Index: sys/netipsec/ipsec_output.c >=================================================================== >--- sys/netipsec/ipsec_output.c (revision 354348) >+++ sys/netipsec/ipsec_output.c (working copy) >@@ -240,6 +240,10 @@ > } > inp = NULL; > } >+ else if (V_ip4_ipsec_trans_cleardf && >+ sp->req[idx]->saidx.mode == IPSEC_MODE_TRANSPORT) { >+ ip->ip_off &= htons(~IP_DF); >+ } > > IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER); > if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=210122">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 242744
: 210122 |
210202