| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1398703056.12635.41.camel@sakura.staff.proxad.net> Date: Mon, 28 Apr 2014 18:37:36 +0200 From: Maxime Bizon <mbizon@...ebox.fr> To: Patrick McHardy <kaber@...sh.net>, Eric Dumazet <edumazet@...gle.com> Cc: davem@...emloft.net, netdev <netdev@...r.kernel.org> Subject: problem forwarding IP fragments with DF bit set (caused by ipv4: fix path MTU discovery with connection tracking) Hello Patrick & Eric, After upgrading a router with a kernel that has patch 5f2d04f1f9 (ipv4: fix path MTU discovery with connection tracking), some packets are not forwarded anymore. (note: kernel is 3.11.10, and conntrack is enabled) Offending packets are IP fragments with DF bit set, MTU is the same on both interfaces involved in forwarding. All received fragments are (obviously) below MTU. The resulting packet after re-assembly is however above MTU. conntrack causes the packets to be re-assembled, but since the resulting skb now has IP_DF set, it fails the (DF + MTU) test in ip_forward.c and causes ICMP frag_needed to be sent. Without the patch, the packet was (re-)fragmented in the output path (but as the patch says, breaking PMTUD because original fragment size is not considered). -- Maxime -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists