Merge branch '2487-rollback-setting-dontfrag-option' into 'main'

Rollback setting IP_DONTFRAG option on the UDP sockets Closes #2466 and #2487 See merge request isc-projects/bind9!4668
2025-08-31 06:25:31 +00:00 · 2021-02-17 08:02:08 +00:00
parent 0f1a4ff2b1 6d442e9c04
commit f8fa64b706
3 changed files with 33 additions and 6 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+5584.	[bug]		Rollback setting IP_DONTFRAG option on the UDP sockets.
+			[GL #2487]
+
 5583.	[func]		Changes to DoH configuration syntax:
 			- When "http" is specified in "listen-on" or
 			  "listen-on-v6" statements, "tls" must also now
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -121,3 +121,8 @@ Bug Fixes
  list in ``named.conf``, the wrong size was passed to ``isc_mem_put()``,
  which resulted in the returned memory being put on the wrong freed
  list. This has been fixed. [GL #2460]
+
+- If an outgoing packet would exceed max-udp-size, it would be dropped instead
+  of sending a proper response back.  Rollback setting the IP_DONTFRAG on the
+  UDP sockets that we enabled during the DNS Flag Day 2020 to fix this issue.
+  [GL #2487]
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -2202,6 +2202,9 @@ isc__nm_closesocket(uv_os_sock_t sock) {
 #define setsockopt_on(socket, level, name) \
 	setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))

+#define setsockopt_off(socket, level, name) \
+	setsockopt(socket, level, name, &(int){ 1 }, sizeof(int))
+
 isc_result_t
 isc__nm_socket_freebind(uv_os_sock_t fd, sa_family_t sa_family) {
 	/*
@@ -2327,14 +2330,22 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
 	 */
 	if (sa_family == AF_INET6) {
 #if defined(IPV6_DONTFRAG)
-		if (setsockopt_on(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IPV6, IPV6_DONTFRAG) == -1) {
 			return (ISC_R_FAILURE);
 		} else {
 			return (ISC_R_SUCCESS);
 		}
-#elif defined(IPV6_MTU_DISCOVER)
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
+		{
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#elif defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+		if (setsockopt(fd, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
+			       &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1)
 		{
 			return (ISC_R_FAILURE);
 		} else {
@@ -2345,14 +2356,22 @@ isc__nm_socket_dontfrag(uv_os_sock_t fd, sa_family_t sa_family) {
 #endif
 	} else if (sa_family == AF_INET) {
 #if defined(IP_DONTFRAG)
-		if (setsockopt_on(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
+		if (setsockopt_off(fd, IPPROTO_IP, IP_DONTFRAG) == -1) {
 			return (ISC_R_FAILURE);
 		} else {
 			return (ISC_R_SUCCESS);
 		}
-#elif defined(IP_MTU_DISCOVER)
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_OMIT)
 		if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
-			       &(int){ IP_PMTUDISC_DO }, sizeof(int)) == -1)
+			       &(int){ IP_PMTUDISC_OMIT }, sizeof(int)) == -1)
+		{
+			return (ISC_R_FAILURE);
+		} else {
+			return (ISC_R_SUCCESS);
+		}
+#elif defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
+		if (setsockopt(fd, IPPROTO_IP, IP_MTU_DISCOVER,
+			       &(int){ IP_PMTUDISC_DONT }, sizeof(int)) == -1)
 		{
 			return (ISC_R_FAILURE);
 		} else {