kernel-pfroute: Set lower MTU on TUN devices

The default MTU of 1500 is too high if kernel-libipsec is used (considering
the overhead of UDP-encapsulated ESP), but might also have an effect if
a TUN device is only used to install a virtual IP (the route points to it,
so the system might use its MTU and 1500 would still be too high).

This also works around an issue on macOS 12 where no RTM_IFINFO event
is sent for the newly created TUN device (neither for the creation,
setting it "up", nor adding the address).  Changing the MTU, however,
triggers such an event and we can detect the virtual IP.

Closes strongswan/strongswan#707

diff --git a/conf/plugins/kernel-pfroute.opt b/conf/plugins/kernel-pfroute.opt
index 8b9bb9169aa147a83ade36fe592a30a2ce247948..464203545424e01a548844a5ea22e99dfa6731f5 100644 (file)
--- a/conf/plugins/kernel-pfroute.opt
+++ b/conf/plugins/kernel-pfroute.opt
@@ -1,3 +1,6 @@
+charon.plugins.kernel-pfroute.mtu = 1400
+       MTU to set on TUN devices created for virtual IPs.
+
 charon.plugins.kernel-pfroute.vip_wait = 1000
        Time in ms to wait until virtual IP addresses appear/disappear before
        failing.

diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
index 97eeda7d3bf19247e1e47f896f41cc29dddbd360..affee8c5ed648136913f6860b4e18b016ba2b640 100644 (file)
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -58,6 +58,9 @@
 /** delay before reinstalling routes (ms) */
 #define ROUTE_DELAY 100
 
+/** default MTU for TUN devices */
+#define TUN_DEFAULT_MTU 1400
+
 typedef struct addr_entry_t addr_entry_t;
 
 /**
@@ -410,6 +413,11 @@ struct private_kernel_pfroute_net_t
         */
        int vip_wait;
 
+       /**
+        * MTU to set on TUN devices
+        */
+       uint32_t mtu;
+
        /**
         * whether to actually install virtual IPs
         */
@@ -1235,7 +1243,8 @@ METHOD(kernel_net_t, add_ip, status_t,
        {
                prefix = vip->get_address(vip).len * 8;
        }
-       if (!tun->up(tun) || !tun->set_address(tun, vip, prefix))
+       if (!tun->up(tun) || !tun->set_address(tun, vip, prefix) ||
+               !tun->set_mtu(tun, this->mtu))
        {
                tun->destroy(tun);
                return FAILED;
@@ -2088,6 +2097,8 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
                .roam_lock = spinlock_create(),
                .vip_wait = lib->settings->get_int(lib->settings,
                                                "%s.plugins.kernel-pfroute.vip_wait", 1000, lib->ns),
+               .mtu = lib->settings->get_int(lib->settings,
+                                               "%s.plugins.kernel-pfroute.mtu", TUN_DEFAULT_MTU, lib->ns),
                .install_virtual_ip = lib->settings->get_bool(lib->settings,
                                                "%s.install_virtual_ip", TRUE, lib->ns),
        );