| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1398785021.4033.19.camel@sakura.staff.proxad.net> Date: Tue, 29 Apr 2014 17:23:41 +0200 From: Maxime Bizon <mbizon@...ebox.fr> To: Patrick McHardy <kaber@...sh.net> Cc: Eric Dumazet <edumazet@...gle.com>, davem@...emloft.net, netdev <netdev@...r.kernel.org> Subject: Re: problem forwarding IP fragments with DF bit set (caused by ipv4: fix path MTU discovery with connection tracking) On Tue, 2014-04-29 at 15:45 +0100, Patrick McHardy wrote: > Right, that is not correct of course. We save the original packet size > and should either refragment to that size or send an ICMP frag required > if the original size exceeds the outgoing MTU. yep indeed, if any fragment is bigger than outgoing MTU > So your patch does look correct, however we should probably only set > local_df in conntrack defrag. I thought of putting it in conntrack code first, but I had some doubts. There are a lot of possible paths that can be taken after reassembly (ipsec, tunnel, ...), and I did not audit all of them. Since the patch that caused this regression modified the generic fragmentation code, it may have caused other silent breakage. Eric/David, could I get your feeling about this ? Thanks, -- Maxime -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists