From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 15 May 2025 10:56:00 +0000 (+0200)
Subject: child-sa: Allow disabling fragmenting packets across AGGFRAG payloads
X-Git-Tag: 6.0.2dr1~4^2~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f32773b3a8f3714248daa77267d8ee87e927f41a;p=thirdparty%2Fstrongswan.git

child-sa: Allow disabling fragmenting packets across AGGFRAG payloads

This is necessary if the peer isn't able to handle such fragments.
---

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index 2c0ef08ed1..4676b05e3c 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -246,6 +246,11 @@ struct private_child_sa_t {
 	 */
 	ipsec_mode_t mode;
 
+	/**
+	 * Disable fragmenting packets across IP-TFS packets
+	 */
+	bool iptfs_dont_frag;
+
 	/**
 	 * Action to enforce if peer closes the CHILD_SA
 	 */
@@ -462,6 +467,12 @@ METHOD(child_sa_t, set_mode, void,
 	this->mode = mode;
 }
 
+METHOD(child_sa_t, set_iptfs_dont_fragment, void,
+	private_child_sa_t *this)
+{
+	this->iptfs_dont_frag = TRUE;
+}
+
 METHOD(child_sa_t, has_encap, bool,
 	   private_child_sa_t *this)
 {
@@ -1109,6 +1120,7 @@ static status_t install_internal(private_child_sa_t *this, chunk_t encr,
 		.copy_df = !this->config->has_option(this->config, OPT_NO_COPY_DF),
 		.copy_ecn = !this->config->has_option(this->config, OPT_NO_COPY_ECN),
 		.copy_dscp = this->config->get_copy_dscp(this->config),
+		.iptfs_dont_frag = this->iptfs_dont_frag,
 		.label = label_for(this, LABEL_USE_SA),
 		.initiator = initiator,
 		.inbound = inbound,
@@ -2168,6 +2180,7 @@ child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
 			.has_encap = _has_encap,
 			.get_ipcomp = _get_ipcomp,
 			.set_ipcomp = _set_ipcomp,
+			.set_iptfs_dont_fragment = _set_iptfs_dont_fragment,
 			.get_close_action = _get_close_action,
 			.set_close_action = _set_close_action,
 			.get_dpd_action = _get_dpd_action,
diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h
index 64e3df774c..152ef5e8e9 100644
--- a/src/libcharon/sa/child_sa.h
+++ b/src/libcharon/sa/child_sa.h
@@ -290,6 +290,12 @@ struct child_sa_t {
 	 */
 	void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
 
+	/**
+	 * Disable fragmenting messages across multiple IP-TFS packets. Only
+	 * relevant with MODE_IPTFS.
+	 */
+	void (*set_iptfs_dont_fragment)(child_sa_t *this);
+
 	/**
 	 * Get the action to enforce if the remote peer closes the CHILD_SA.
 	 *