From 00bc8bbbbb71905f177c8bfd9577be995ddcfb84 Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Thu, 11 Sep 2025 14:56:12 +0000
Subject: [PATCH] Handle administrative prohibition of ICMP

---
 internal/pmtud/errors.go |  5 +++--
 internal/pmtud/ipv4.go   | 10 +++++++++-
 internal/pmtud/pmtud.go  |  2 +-
 3 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/internal/pmtud/errors.go b/internal/pmtud/errors.go
index 1e81f1ae..5fc606fe 100644
--- a/internal/pmtud/errors.go
+++ b/internal/pmtud/errors.go
@@ -9,8 +9,9 @@ import (
 )
 
 var (
-	ErrICMPDestinationUnreachable = errors.New("ICMP destination unreachable")
-	ErrICMPBodyUnsupported        = errors.New("ICMP body type is not supported")
+	ErrICMPDestinationUnreachable                  = errors.New("ICMP destination unreachable")
+	ErrICMPCommunicationAdministrativelyProhibited = errors.New("communication administratively prohibited")
+	ErrICMPBodyUnsupported                         = errors.New("ICMP body type is not supported")
 )
 
 func wrapConnErr(err error, timedCtx context.Context, pingTimeout time.Duration) error { //nolint:revive
diff --git a/internal/pmtud/ipv4.go b/internal/pmtud/ipv4.go
index c75c6e3d..e3850f86 100644
--- a/internal/pmtud/ipv4.go
+++ b/internal/pmtud/ipv4.go
@@ -104,7 +104,15 @@ func findIPv4NextHopMTU(ctx context.Context, ip netip.Addr,
 		switch typedBody := inboundMessage.Body.(type) {
 		case *icmp.DstUnreach:
 			const fragmentationRequiredAndDFFlagSetCode = 4
-			if inboundMessage.Code != fragmentationRequiredAndDFFlagSetCode {
+			const communicationAdministrativelyProhibitedCode = 13
+			switch inboundMessage.Code {
+			case fragmentationRequiredAndDFFlagSetCode:
+			case communicationAdministrativelyProhibitedCode:
+				return 0, fmt.Errorf("%w: %w (code %d)",
+					ErrICMPDestinationUnreachable,
+					ErrICMPCommunicationAdministrativelyProhibited,
+					inboundMessage.Code)
+			default:
 				return 0, fmt.Errorf("%w: code %d",
 					ErrICMPDestinationUnreachable, inboundMessage.Code)
 			}
diff --git a/internal/pmtud/pmtud.go b/internal/pmtud/pmtud.go
index 5c94da85..1cdabe2c 100644
--- a/internal/pmtud/pmtud.go
+++ b/internal/pmtud/pmtud.go
@@ -37,7 +37,7 @@ func PathMTUDiscover(ctx context.Context, ip netip.Addr,
 		switch {
 		case err == nil:
 			return mtu, nil
-		case errors.Is(err, net.ErrClosed): // blackhole
+		case errors.Is(err, net.ErrClosed) || errors.Is(err, ErrICMPCommunicationAdministrativelyProhibited): // blackhole
 		default:
 			return 0, fmt.Errorf("finding IPv4 next hop MTU: %w", err)
 		}