git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/commit

author	Sabrina Dubroca <sd@queasysnail.net>
	Fri, 16 Apr 2021 09:27:59 +0000 (11:27 +0200)
committer	Stefan Bader <stefan.bader@canonical.com>
	Fri, 13 Aug 2021 07:30:38 +0000 (09:30 +0200)
commit	aed42ff0f39c366305ce586c4e95950d1cf2b7bf
tree	42254cf5b1cf11931d4e9b5aba773024ac2872ff	tree
parent	1929eb61d841b24130d44bb16f4894bfc7bace8a	commit \| diff

xfrm: xfrm_state_mtu should return at least 1280 for ipv6

BugLink: https://bugs.launchpad.net/bugs/1938340
[ Upstream commit b515d2637276a3810d6595e10ab02c13bfd0b63a ]

Jianwen reported that IPv6 Interoperability tests are failing in an
IPsec case where one of the links between the IPsec peers has an MTU
of 1280. The peer generates a packet larger than this MTU, the router
replies with a "Packet too big" message indicating an MTU of 1280.
When the peer tries to send another large packet, xfrm_state_mtu
returns 1280 - ipsec_overhead, which causes ip6_setup_cork to fail
with EINVAL.

We can fix this by forcing xfrm_state_mtu to return IPV6_MIN_MTU when
IPv6 is used. After going through IPsec, the packet will then be
fragmented to obey the actual network's PMTU, just before leaving the
host.

Currently, TFC padding is capped to PMTU - overhead to avoid
fragementation: after padding and encapsulation, we still fit within
the PMTU. That behavior is preserved in this patch.

Fixes: 91657eafb64b ("xfrm: take net hdr len into account for esp payload size calculation")
Reported-by: Jianwen Ji <jiji@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

include/net/xfrm.h		diff \| blob \| blame \| history
net/ipv4/esp4.c		diff \| blob \| blame \| history
net/ipv6/esp6.c		diff \| blob \| blame \| history
net/xfrm/xfrm_state.c		diff \| blob \| blame \| history