lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Apr 2014 02:26:44 +0200 From: Florian Westphal <fw@...len.de> To: David Miller <davem@...emloft.net> Cc: fw@...len.de, tobias@...ongswan.org, netdev@...r.kernel.org, herbert@...dor.apana.org.au, mleitner@...hat.com Subject: Re: Problems with fragments since gso skb forwarding changes in virtual environment David Miller <davem@...emloft.net> wrote: > From: Florian Westphal <fw@...len.de> > Date: Tue, 8 Apr 2014 01:46:40 +0200 > > > Looking at br_nf_dev_queue_xmit() in br_netfilter.c I see that it has > > a bug (not related 'gso skbs in forwarding path' change): it assumes > > that if skb->nfct is NULL no reassembly has taken place. Thats not > > true (can load ipv4 defrag module without ipv4 conntrack one), or > > netfilter defragmented the packet but then protocol tracker returned > > error ('INVALID' conntrack state in netfilter speak). > > > > I admit its rare condition, but afaics br_nf_dev_queue_xmit is > > supposed to re-fragment packets that have been subject to defrag. > > In fact, judging by commits: > > commit e179e6322ac334e21a3c6d669d95bc967e5d0a80 > Author: Bart De Schuymer <bdschuym@...dora.be> > Date: Thu Apr 15 12:26:39 2010 +0200 > > netfilter: bridge-netfilter: Fix MAC header handling with IP DNAT > > and subsequently: > > commit c197facc8ea08062f8f949aade6a33649ee06771 > Author: hummerbliss@...il.com <hummerbliss@...il.com> > Date: Mon Apr 20 17:12:35 2009 +0200 > > netfilter: bridge: allow fragmentation of VLAN packets traversing a bridge > > I would say that we should simply remove the skb->nfct check > altogether and everything will work fine. I was thinking about tracking defrag-on-top-of-bridge in skb->nf_bridge. But after looking at the changes you're mentioning I think you're right, I don't see how we can end up in br_nf_dev_queue_xmit with packet-exceeding-MTU and said skb NOT being a defragmented packet. I am afraid IPv6 defrag also needs to be considered here 8-/ I'll look into it tomorrow. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists