ipsec: If no PMTU in hostcache assume it's equal to link's MTU

If we fail to find to PMTU in hostcache, we assume it's equal
to link's MTU.

This patch prevents packets larger then link's MTU to be dropped
silently if there is no PMTU in hostcache.

Differential revision:	https://reviews.freebsd.org/D31770
Obtained from:		Semihalf
Sponsored by:		Stormshield

1 files changed, 18 insertions, 4 deletions

diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 50bbd72f0589..c4e34665b8f5 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -352,15 +352,29 @@ setdf:
 
 	key_freesav(&sav);
 	pmtu = tcp_hc_getmtu(&inc);
-	/* No entry in hostcache. */
-	if (pmtu == 0)
-		return (0);
+	/* No entry in hostcache. Use link MTU instead. */
+	if (pmtu == 0) {
+		switch (dst->sa.sa_family) {
+		case AF_INET:
+			pmtu = tcp_maxmtu(&inc, NULL);
+			break;
+#ifdef INET6
+		case AF_INET6:
+			pmtu = tcp_maxmtu6(&inc, NULL);
+			break;
+#endif
+		}
+		if (pmtu == 0)
+			return (0);
+
+		tcp_hc_updatemtu(&inc, pmtu);
+	}
 
 	hlen = ipsec_hdrsiz_internal(sp);
 	if (m_length(m, NULL) + hlen > pmtu) {
 		/*
 		 * If we're forwarding generate ICMP message here,
-		 * so that it contains pmtu and not link mtu.
+		 * so that it contains pmtu substraced by header size.
 		 * Set error to EINPROGRESS, in order for the frame
 		 * to be dropped silently.
 		 */