lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 26 May 2007 16:20:59 +0200
From:	Ingo Oeser <ioe-lkml@...eria.de>
To:	Patrick McHardy <kaber@...sh.net>
Cc:	Adam Osuchowski <adwol@...k.pl>,
	Stephen Hemminger <shemminger@...ux-foundation.org>,
	bridge@...ts.linux-foundation.org, linux-kernel@...r.kernel.org
Subject: Re: [Bridge] [BUG] Dropping fragmented IP packets within VLAN frames on bridge

On Saturday 26 May 2007, Patrick McHardy wrote:
> Adam Osuchowski wrote:
> >     if (((skb->protocol == htons(ETH_P_IP) && skb->len > skb->dev->mtu) ||
> >         (IS_VLAN_IP(skb) && skb->len > skb->dev->mtu - VLAN_HLEN)) &&
> > 	!skb_is_gso(skb))
> > 	    return ip_fragment ...
> 
> 
> net/8021q ignores the VLAN header overhead, so we should probably do the
> same here for consistency. Using IS_VLAN_IP (and IS_PPPOE_IP for current
> -rc) looks fine, additionally we should probably also check for
> skb->nfct != NULL to make sure that at least without connection tracking
> the bridge doesn't perform fragmentation.

And could we separe the conditions for that into a static helper function
explaining each of these conditions? e.g. sth. like that:

static bool br_nf_need_fragment(struct sk_buff *skb)
{
	/* Plain IP packet does not fit in MTU */
	if (!(skb->protocol == htons(ETH_P_IP) && skb->len > skb->dev->mtu))
		return true;

	/* VLAN encapsulated IP packet does not fit in MTU */
	if (IS_VLAN_IP(skb) && skb->len > skb->dev->mtu - VLAN_HLEN)
		return true;

	/* PPPoE encapsulated IP packet does not fit in MTU */
	if (IS_PPPOE_IP(skb) && skb->len > skb->dev->mtu - PPPOE_SES_HLEN)
		return true;

	return false;
}

and then br_nf_dev_queue_xmit() becomes:

static int br_nf_dev_queue_xmit(struct sk_buff *skb)
{
        if (br_nf_need_fragment(skb) &&  !skb_is_gso(skb))
                return ip_fragment(skb, br_dev_queue_push_xmit);
        else
                return br_dev_queue_push_xmit(skb);
}

which is much more readable, more documented and doesn't contain a condition monster :-)

@Patrick: Could you check, wether the PPPoE case is correct?

What do you think? Should I submit a patch for that?


Best Regards

Ingo Oeser
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ