Handle administrative prohibition of ICMP

internal/pmtud/errors.go

@@ -9,8 +9,9 @@ import (
 )
 
 var (
-	ErrICMPDestinationUnreachable = errors.New("ICMP destination unreachable")
+	ErrICMPDestinationUnreachable                  = errors.New("ICMP destination unreachable")
-	ErrICMPBodyUnsupported        = errors.New("ICMP body type is not supported")
+	ErrICMPCommunicationAdministrativelyProhibited = errors.New("communication administratively prohibited")
+	ErrICMPBodyUnsupported                         = errors.New("ICMP body type is not supported")
 )
 
 func wrapConnErr(err error, timedCtx context.Context, pingTimeout time.Duration) error { //nolint:revive

internal/pmtud/ipv4.go

@@ -104,7 +104,15 @@ func findIPv4NextHopMTU(ctx context.Context, ip netip.Addr,
 		switch typedBody := inboundMessage.Body.(type) {
 		case *icmp.DstUnreach:
 			const fragmentationRequiredAndDFFlagSetCode = 4
-			if inboundMessage.Code != fragmentationRequiredAndDFFlagSetCode {
+			const communicationAdministrativelyProhibitedCode = 13
+			switch inboundMessage.Code {
+			case fragmentationRequiredAndDFFlagSetCode:
+			case communicationAdministrativelyProhibitedCode:
+				return 0, fmt.Errorf("%w: %w (code %d)",
+					ErrICMPDestinationUnreachable,
+					ErrICMPCommunicationAdministrativelyProhibited,
+					inboundMessage.Code)
+			default:
 				return 0, fmt.Errorf("%w: code %d",
 					ErrICMPDestinationUnreachable, inboundMessage.Code)
 			}

internal/pmtud/pmtud.go

@@ -37,7 +37,7 @@ func PathMTUDiscover(ctx context.Context, ip netip.Addr,
 		switch {
 		case err == nil:
 			return mtu, nil
-		case errors.Is(err, net.ErrClosed): // blackhole
+		case errors.Is(err, net.ErrClosed) || errors.Is(err, ErrICMPCommunicationAdministrativelyProhibited): // blackhole
 		default:
 			return 0, fmt.Errorf("finding IPv4 next hop MTU: %w", err)
 		}