Send ICMP errors when unable to forward fragmented packets

Before this change, we would silently drop packets when the packet was too
big to be sent out through the NIC (and, for IPv4 packets, if DF was set).
This change brings us into line with RFC 792 (IPv4) and RFC 4443 (IPv6),
both of which specify that gateways should return an ICMP error to the sender
when the packet can't be fragmented.

PiperOrigin-RevId: 373480078

3 files changed, 146 insertions, 39 deletions

diff --git a/pkg/tcpip/network/ipv6/icmp.go b/pkg/tcpip/network/ipv6/icmp.go
index 247a07dc2..4051fda07 100644
--- a/pkg/tcpip/network/ipv6/icmp.go
+++ b/pkg/tcpip/network/ipv6/icmp.go
@@ -955,7 +955,19 @@ func (*endpoint) ResolveStaticAddress(addr tcpip.Address) (tcpip.LinkAddress, bo
 // icmpReason is a marker interface for IPv6 specific ICMP errors.
 type icmpReason interface {
 	isICMPReason()
+	// isForwarding indicates whether or not the error arose while attempting to
+	// forward a packet.
 	isForwarding() bool
+	// respondToMulticast indicates whether this error falls under the exception
+	// outlined by RFC 4443 section 2.4 point e.3 exception 2:
+	//
+	//   (e.3) A packet destined to an IPv6 multicast address. (There are two
+	//   exceptions to this rule: (1) the Packet Too Big Message (Section 3.2) to
+	//   allow Path MTU discovery to work for IPv6 multicast, and (2) the Parameter
+	//   Problem Message, Code 2 (Section 3.4) reporting an unrecognized IPv6
+	//   option (see Section 4.2 of [IPv6]) that has the Option Type highest-
+	//   order two bits set to 10).
+	respondsToMulticast() bool
 }
 
 // icmpReasonParameterProblem is an error during processing of extension headers
@@ -963,18 +975,6 @@ type icmpReason interface {
 type icmpReasonParameterProblem struct {
 	code header.ICMPv6Code
 
-	// respondToMulticast indicates that we are sending a packet that falls under
-	// the exception outlined by RFC 4443 section 2.4 point e.3 exception 2:
-	//
-	//       (e.3) A packet destined to an IPv6 multicast address.  (There are
-	//             two exceptions to this rule: (1) the Packet Too Big Message
-	//             (Section 3.2) to allow Path MTU discovery to work for IPv6
-	//             multicast, and (2) the Parameter Problem Message, Code 2
-	//             (Section 3.4) reporting an unrecognized IPv6 option (see
-	//             Section 4.2 of [IPv6]) that has the Option Type highest-
-	//             order two bits set to 10).
-	respondToMulticast bool
-
 	// pointer is defined in the RFC 4443 setion 3.4 which reads:
 	//
 	//  Pointer         Identifies the octet offset within the invoking packet
@@ -985,9 +985,9 @@ type icmpReasonParameterProblem struct {
 	//                  in the maximum size of an ICMPv6 error message.
 	pointer uint32
 
-	// forwarding indicates that the problem arose while we were trying to forward
-	// a packet.
 	forwarding bool
+
+	respondToMulticast bool
 }
 
 func (*icmpReasonParameterProblem) isICMPReason() {}
@@ -995,6 +995,10 @@ func (p *icmpReasonParameterProblem) isForwarding() bool {
 	return p.forwarding
 }
 
+func (p *icmpReasonParameterProblem) respondsToMulticast() bool {
+	return p.respondToMulticast
+}
+
 // icmpReasonPortUnreachable is an error where the transport protocol has no
 // listener and no alternative means to inform the sender.
 type icmpReasonPortUnreachable struct{}
@@ -1005,6 +1009,10 @@ func (*icmpReasonPortUnreachable) isForwarding() bool {
 	return false
 }
 
+func (*icmpReasonPortUnreachable) respondsToMulticast() bool {
+	return false
+}
+
 // icmpReasonNetUnreachable is an error where no route can be found to the
 // network of the final destination.
 type icmpReasonNetUnreachable struct{}
@@ -1021,6 +1029,30 @@ func (*icmpReasonNetUnreachable) isForwarding() bool {
 	return true
 }
 
+func (*icmpReasonNetUnreachable) respondsToMulticast() bool {
+	return false
+}
+
+// icmpReasonFragmentationNeeded is an error where a packet is to big to be sent
+// out through the outgoing MTU, as per RFC 4443 page 9, Packet Too Big Message.
+type icmpReasonPacketTooBig struct{}
+
+func (*icmpReasonPacketTooBig) isICMPReason() {}
+
+func (*icmpReasonPacketTooBig) isForwarding() bool {
+	// If we hit a Packet Too Big error, then we know we are operating as a router.
+	// As per RFC 4443 section 3.2:
+	//
+	//   A Packet Too Big MUST be sent by a router in response to a packet that it
+	//   cannot forward because the packet is larger than the MTU of the outgoing
+	//   link.
+	return true
+}
+
+func (*icmpReasonPacketTooBig) respondsToMulticast() bool {
+	return true
+}
+
 // icmpReasonHopLimitExceeded is an error where a packet's hop limit exceeded in
 // transit to its final destination, as per RFC 4443 section 3.3.
 type icmpReasonHopLimitExceeded struct{}
@@ -1039,6 +1071,10 @@ func (*icmpReasonHopLimitExceeded) isForwarding() bool {
 	return true
 }
 
+func (*icmpReasonHopLimitExceeded) respondsToMulticast() bool {
+	return false
+}
+
 // icmpReasonReassemblyTimeout is an error where insufficient fragments are
 // received to complete reassembly of a packet within a configured time after
 // the reception of the first-arriving fragment of that packet.
@@ -1050,6 +1086,10 @@ func (*icmpReasonReassemblyTimeout) isForwarding() bool {
 	return false
 }
 
+func (*icmpReasonReassemblyTimeout) respondsToMulticast() bool {
+	return false
+}
+
 // returnError takes an error descriptor and generates the appropriate ICMP
 // error packet for IPv6 and sends it.
 func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip.Error {
@@ -1078,11 +1118,7 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
 	//             Section 4.2 of [IPv6]) that has the Option Type highest-
 	//             order two bits set to 10).
 	//
-	var allowResponseToMulticast bool
-	if reason, ok := reason.(*icmpReasonParameterProblem); ok {
-		allowResponseToMulticast = reason.respondToMulticast
-	}
-
+	allowResponseToMulticast := reason.respondsToMulticast()
 	isOrigDstMulticast := header.IsV6MulticastAddress(origIPHdrDst)
 	if (!allowResponseToMulticast && isOrigDstMulticast) || origIPHdrSrc == header.IPv6Any {
 		return nil
@@ -1190,6 +1226,10 @@ func (p *protocol) returnError(reason icmpReason, pkt *stack.PacketBuffer) tcpip
 		icmpHdr.SetType(header.ICMPv6DstUnreachable)
 		icmpHdr.SetCode(header.ICMPv6NetworkUnreachable)
 		counter = sent.dstUnreachable
+	case *icmpReasonPacketTooBig:
+		icmpHdr.SetType(header.ICMPv6PacketTooBig)
+		icmpHdr.SetCode(header.ICMPv6UnusedCode)
+		counter = sent.packetTooBig
 	case *icmpReasonHopLimitExceeded:
 		icmpHdr.SetType(header.ICMPv6TimeExceeded)
 		icmpHdr.SetCode(header.ICMPv6HopLimitExceeded)
diff --git a/pkg/tcpip/network/ipv6/ipv6.go b/pkg/tcpip/network/ipv6/ipv6.go
index 029d5f51b..880290b4b 100644
--- a/pkg/tcpip/network/ipv6/ipv6.go
+++ b/pkg/tcpip/network/ipv6/ipv6.go
@@ -761,6 +761,12 @@ func (e *endpoint) writePacket(r *stack.Route, pkt *stack.PacketBuffer, protocol
 	}
 
 	if packetMustBeFragmented(pkt, networkMTU) {
+		if pkt.NetworkPacketInfo.IsForwardedPacket {
+			// As per RFC 2460, section 4.5:
+			//   Unlike IPv4, fragmentation in IPv6 is performed only by source nodes,
+			//   not by routers along a packet's delivery path.
+			return &tcpip.ErrMessageTooLong{}
+		}
 		sent, remain, err := e.handleFragments(r, networkMTU, pkt, protocol, func(fragPkt *stack.PacketBuffer) tcpip.Error {
 			// TODO(gvisor.dev/issue/3884): Evaluate whether we want to send each
 			// fragment one by one using WritePacket() (current strategy) or if we
@@ -950,9 +956,8 @@ func (e *endpoint) forwardPacket(pkt *stack.PacketBuffer) ip.ForwardingError {
 	switch err.(type) {
 	case nil:
 	case *tcpip.ErrNoRoute, *tcpip.ErrNetworkUnreachable:
-		// We return the original error rather than the result of returning
-		// the ICMP packet because the original error is more relevant to
-		// the caller.
+		// We return the original error rather than the result of returning the
+		// ICMP packet because the original error is more relevant to the caller.
 		_ = e.protocol.returnError(&icmpReasonNetUnreachable{}, pkt)
 		return &ip.ErrNoRoute{}
 	default:
@@ -971,13 +976,23 @@ func (e *endpoint) forwardPacket(pkt *stack.PacketBuffer) ip.ForwardingError {
 	//                       each node that forwards the packet.
 	newHdr.SetHopLimit(hopLimit - 1)
 
-	if err := r.WriteHeaderIncludedPacket(stack.NewPacketBuffer(stack.PacketBufferOptions{
+	switch err := r.WriteHeaderIncludedPacket(stack.NewPacketBuffer(stack.PacketBufferOptions{
 		ReserveHeaderBytes: int(r.MaxHeaderLength()),
 		Data:               buffer.View(newHdr).ToVectorisedView(),
-	})); err != nil {
+		IsForwardedPacket:  true,
+	})); err.(type) {
+	case nil:
+		return nil
+	case *tcpip.ErrMessageTooLong:
+		// As per RFC 4443, section 3.2:
+		//   A Packet Too Big MUST be sent by a router in response to a packet that
+		//   it cannot forward because the packet is larger than the MTU of the
+		//   outgoing link.
+		_ = e.protocol.returnError(&icmpReasonPacketTooBig{}, pkt)
+		return &ip.ErrMessageTooLong{}
+	default:
 		return &ip.ErrOther{Err: err}
 	}
-	return nil
 }
 
 // HandlePacket is called by the link layer when new ipv6 packets arrive for
@@ -1091,6 +1106,8 @@ func (e *endpoint) handleValidatedPacket(h header.IPv6, pkt *stack.PacketBuffer)
 			e.stats.ip.Forwarding.Unrouteable.Increment()
 		case *ip.ErrParameterProblem:
 			e.stats.ip.Forwarding.ExtensionHeaderProblem.Increment()
+		case *ip.ErrMessageTooLong:
+			e.stats.ip.Forwarding.PacketTooBig.Increment()
 		default:
 			panic(fmt.Sprintf("unexpected error %s while trying to forward packet: %#v", err, pkt))
 		}
diff --git a/pkg/tcpip/network/ipv6/ipv6_test.go b/pkg/tcpip/network/ipv6/ipv6_test.go
index 8ebca735b..faf6a782e 100644
--- a/pkg/tcpip/network/ipv6/ipv6_test.go
+++ b/pkg/tcpip/network/ipv6/ipv6_test.go
@@ -3018,10 +3018,13 @@ func TestForwarding(t *testing.T) {
 		Address:   tcpip.Address(net.ParseIP("11::1").To16()),
 		PrefixLen: 64,
 	}
+	multicastIPv6Addr := tcpip.AddressWithPrefix{
+		Address:   tcpip.Address(net.ParseIP("ff00::").To16()),
+		PrefixLen: 64,
+	}
 	remoteIPv6Addr1 := tcpip.Address(net.ParseIP("10::2").To16())
 	remoteIPv6Addr2 := tcpip.Address(net.ParseIP("11::2").To16())
 	unreachableIPv6Addr := tcpip.Address(net.ParseIP("12::2").To16())
-	multicastIPv6Addr := tcpip.Address(net.ParseIP("ff00::").To16())
 	linkLocalIPv6Addr := tcpip.Address(net.ParseIP("fe80::").To16())
 
 	tests := []struct {
@@ -3030,6 +3033,7 @@ func TestForwarding(t *testing.T) {
 		TTL                          uint8
 		expectErrorICMP              bool
 		expectPacketForwarded        bool
+		payloadLength                int
 		countUnrouteablePackets      uint64
 		sourceAddr                   tcpip.Address
 		destAddr                     tcpip.Address
@@ -3090,12 +3094,12 @@ func TestForwarding(t *testing.T) {
 			expectPacketUnrouteableError: true,
 		},
 		{
-			name:                         "Multicast destination",
-			TTL:                          2,
-			countUnrouteablePackets:      1,
-			sourceAddr:                   remoteIPv6Addr1,
-			destAddr:                     multicastIPv6Addr,
-			expectPacketUnrouteableError: true,
+			name:                    "Multicast destination",
+			TTL:                     2,
+			countUnrouteablePackets: 1,
+			sourceAddr:              remoteIPv6Addr1,
+			destAddr:                multicastIPv6Addr.Address,
+			expectPacketForwarded:   true,
 		},
 		{
 			name:                     "Link local destination",
@@ -3172,7 +3176,7 @@ func TestForwarding(t *testing.T) {
 			name:       "Hopbyhop with unknown option discard and send icmp action (multicast)",
 			TTL:        2,
 			sourceAddr: remoteIPv6Addr1,
-			destAddr:   multicastIPv6Addr,
+			destAddr:   multicastIPv6Addr.Address,
 			extHdr: func(nextHdr uint8) ([]byte, uint8, checker.NetworkChecker) {
 				return []byte{
 					nextHdr, 1,
@@ -3215,7 +3219,7 @@ func TestForwarding(t *testing.T) {
 			name:       "Hopbyhop with unknown option discard and send icmp action unless multicast dest (multicast)",
 			TTL:        2,
 			sourceAddr: remoteIPv6Addr1,
-			destAddr:   multicastIPv6Addr,
+			destAddr:   multicastIPv6Addr.Address,
 			extHdr: func(nextHdr uint8) ([]byte, uint8, checker.NetworkChecker) {
 				return []byte{
 					nextHdr, 1,
@@ -3263,6 +3267,26 @@ func TestForwarding(t *testing.T) {
 			},
 			expectExtensionHeaderError: true,
 		},
+		{
+			name:            "Can't fragment",
+			TTL:             2,
+			payloadLength:   header.IPv6MinimumMTU + 1,
+			expectErrorICMP: true,
+			sourceAddr:      remoteIPv6Addr1,
+			destAddr:        remoteIPv6Addr2,
+			icmpType:        header.ICMPv6PacketTooBig,
+			icmpCode:        header.ICMPv6UnusedCode,
+		},
+		{
+			name:            "Can't fragment multicast",
+			TTL:             2,
+			payloadLength:   header.IPv6MinimumMTU + 1,
+			sourceAddr:      remoteIPv6Addr1,
+			destAddr:        multicastIPv6Addr.Address,
+			expectErrorICMP: true,
+			icmpType:        header.ICMPv6PacketTooBig,
+			icmpCode:        header.ICMPv6UnusedCode,
+		},
 	}
 
 	for _, test := range tests {
@@ -3299,6 +3323,10 @@ func TestForwarding(t *testing.T) {
 					Destination: ipv6Addr2.Subnet(),
 					NIC:         nicID2,
 				},
+				{
+					Destination: multicastIPv6Addr.Subnet(),
+					NIC:         nicID2,
+				},
 			})
 
 			if err := s.SetForwarding(ProtocolNumber, true); err != nil {
@@ -3315,8 +3343,13 @@ func TestForwarding(t *testing.T) {
 			}
 			extHdrLen := len(extHdrBytes)
 
-			hdr := buffer.NewPrependable(header.IPv6MinimumSize + header.ICMPv6MinimumSize + extHdrLen)
-			icmp := header.ICMPv6(hdr.Prepend(header.ICMPv6MinimumSize))
+			ipHeaderLength := header.IPv6MinimumSize
+			icmpHeaderLength := header.ICMPv6MinimumSize
+			totalLength := ipHeaderLength + icmpHeaderLength + test.payloadLength + extHdrLen
+			hdr := buffer.NewPrependable(totalLength)
+			hdr.Prepend(test.payloadLength)
+			icmp := header.ICMPv6(hdr.Prepend(icmpHeaderLength))
+
 			icmp.SetIdent(randomIdent)
 			icmp.SetSequence(randomSequence)
 			icmp.SetType(header.ICMPv6EchoRequest)
@@ -3328,9 +3361,9 @@ func TestForwarding(t *testing.T) {
 				Dst:    test.destAddr,
 			}))
 			copy(hdr.Prepend(extHdrLen), extHdrBytes)
-			ip := header.IPv6(hdr.Prepend(header.IPv6MinimumSize))
+			ip := header.IPv6(hdr.Prepend(ipHeaderLength))
 			ip.Encode(&header.IPv6Fields{
-				PayloadLength:     header.ICMPv6MinimumSize,
+				PayloadLength:     uint16(header.ICMPv6MinimumSize + test.payloadLength),
 				TransportProtocol: transportProtocol,
 				HopLimit:          test.TTL,
 				SrcAddr:           test.sourceAddr,
@@ -3347,6 +3380,19 @@ func TestForwarding(t *testing.T) {
 					t.Fatalf("expected ICMP packet type %d through incoming NIC", test.icmpType)
 				}
 
+				// As per RFC 4443, page 9:
+				//
+				//   The returned ICMP packet will contain as much of invoking packet
+				//   as possible without the ICMPv6 packet exceeding the minimum IPv6
+				//   MTU.
+				expectedICMPPayloadLength := func() int {
+					maxICMPPayloadLength := header.IPv6MinimumMTU - ipHeaderLength - icmpHeaderLength
+					if len(hdr.View()) > maxICMPPayloadLength {
+						return maxICMPPayloadLength
+					}
+					return len(hdr.View())
+				}
+
 				checker.IPv6(t, header.IPv6(stack.PayloadSince(reply.Pkt.NetworkHeader())),
 					checker.SrcAddr(ipv6Addr1.Address),
 					checker.DstAddr(test.sourceAddr),
@@ -3354,7 +3400,7 @@ func TestForwarding(t *testing.T) {
 					checker.ICMPv6(
 						checker.ICMPv6Type(test.icmpType),
 						checker.ICMPv6Code(test.icmpCode),
-						checker.ICMPv6Payload([]byte(hdr.View())),
+						checker.ICMPv6Payload([]byte(hdr.View()[0:expectedICMPPayloadLength()])),
 					),
 				)
 
@@ -3420,6 +3466,10 @@ func TestForwarding(t *testing.T) {
 			if got, want := s.Stats().IP.Forwarding.ExtensionHeaderProblem.Value(), boolToInt(test.expectExtensionHeaderError); got != want {
 				t.Errorf("got s.Stats().IP.Forwarding.ExtensionHeaderProblem.Value() = %d, want = %d", got, want)
 			}
+
+			if got, want := s.Stats().IP.Forwarding.PacketTooBig.Value(), boolToInt(test.icmpType == header.ICMPv6PacketTooBig); got != want {
+				t.Errorf("got s.Stats().IP.Forwarding.PacketTooBig.Value() = %d, want = %d", got, want)
+			}
 		})
 	}
 }