| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <effc10de-e7a9-4721-84ee-caafcf9aedb8@openvpn.net> Date: Tue, 13 May 2025 09:51:55 +0200 From: Antonio Quartulli <antonio@...nvpn.net> To: Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org Cc: Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Sabrina Dubroca <sd@...asysnail.net>, Gert Doering <gert@...enie.muc.de> Subject: Re: [PATCH net-next 03/10] ovpn: set skb->ignore_df = 1 before sending IPv6 packets out On 13/05/2025 09:37, Paolo Abeni wrote: > On 5/9/25 4:26 PM, Antonio Quartulli wrote: >> IPv6 user packets (sent over the tunnel) may be larger than >> the outgoing interface MTU after encapsulation. >> When this happens ovpn should allow the kernel to fragment >> them because they are "locally generated". >> >> To achieve the above, we must set skb->ignore_df = 1 >> so that ip6_fragment() can be made aware of this decision. > > Why the above applies only to IPv6? AFAICS the same could happen even > for IPv4. For IPv4 we have the 'df=0' param that is passed to udp_tunnel_xmit_skb(), which basically leads to the same result. Originally (in some old version of the original ovpn submission) I had skb->ignore_df=1 in the common path, but then it was removed when Sabrina highlighted the df param. However, we overlooked that there is no such param/logic for IPv6, hence we need the explicit ignore_df=1 for IPv6. Regards, -- Antonio Quartulli OpenVPN Inc.
Powered by blists - more mailing lists