| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20161103222751.5ae120ed@halley>
Date: Thu, 3 Nov 2016 22:27:51 +0200
From: Shmulik Ladkani <shmulik.ladkani@...il.com>
To: Lance Richardson <lrichard@...hat.com>, fw@...len.de,
hannes@...essinduktion.org
Cc: netdev@...r.kernel.org, jtluka@...hat.com
Subject: Re: [PATCH net v3] ipv4: allow local fragmentation in
ip_finish_output_gso()
Hi Hannes, Lance,
On Wed, 2 Nov 2016 16:36:17 -0400 Lance Richardson <lrichard@...hat.com> wrote:
>
> - if (skb_iif && !(df & htons(IP_DF))) {
> - /* Arrived from an ingress interface, got encapsulated, with
> - * fragmentation of encapulating frames allowed.
> - * If skb is gso, the resulting encapsulated network segments
> - * may exceed dst mtu.
> - * Allow IP Fragmentation of segments.
> - */
> - IPCB(skb)->flags |= IPSKB_FRAG_SEGS;
> - }
Thinking this over, I'm concerned of this change.
Few months back, we discussed this and got to the conclusion that in the
"ingress,tunnel,egress" scenario, segments are allowed to be
fragmented if the original inner ip packet does NOT have the DF.
See
https://patchwork.ozlabs.org/patch/657132/
https://patchwork.ozlabs.org/patch/661219/
I think you expressed that those tunneled skbs already having DF set
should go through pmtu discovery.
Suggested patch unconditionally calls skb_gso_validate_mtu().
Thus we're changing behavior for "ingress,tunnel,egress" scenario of
the tunneled packets having DF set in the inner iph.
WDYT?
Powered by blists - more mailing lists