From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Patrick McHardy <kaber@trash.net>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
Julian Anastasov <ja@ssi.bg>,
Hans Schillstrom <hans@schillstrom.com>,
Hans Schillstrom <hans.schillstrom@ericsson.com>
Subject: Re: [PATCH 05/19] netfilter: nf_conntrack_ipv6: improve fragmentation handling
Date: Mon, 27 Aug 2012 12:13:48 +0200 [thread overview]
Message-ID: <1346062428.3069.398.camel@localhost> (raw)
In-Reply-To: <Pine.GSO.4.63.1208262318550.16771@stinky-local.trash.net>
On Sun, 2012-08-26 at 23:20 +0200, Patrick McHardy wrote:
> On Wed, 22 Aug 2012, Jesper Dangaard Brouer wrote:
>
> > On Sun, 2012-08-19 at 21:44 +0200, Patrick McHardy wrote:
> >> On Sun, 19 Aug 2012, Jesper Dangaard Brouer wrote:
> >>> On Sat, 2012-08-18 at 14:26 +0200, Patrick McHardy wrote:
> > [...]
> >
> >>> Don't I need to load some of the helper modules, or just the
> >>> nf_conntrack_ipv6 module, or perhaps only nf_defrag_ipv6 ?
> >>
> >> Not with the entire patchset, just IPv6 conntrack is enough. Aith IPv6 NAT
> >> the first packet of a connection must always be defragemented, independant
> >> of an assigned helper.
> >
> > When loading "nf_conntrack_ipv6" I run into issues.
> >
> > When sending a fragmented UDP packet. With these patches, the IPVS
> > stack will no longer see the fragmented packets, but instead see one
> > large SKB. This will trigger a MTU path check in e.g.
> > ip_vs_dr_xmit_v6() and an ICMPv6 too big packet is send back.
> >
> > IPVS: ip_vs_dr_xmit_v6(): frag needed
> >
> > Perhaps we could change/fix the MTU check in IPVS?
> > (This would also solve issues I've seen with TSO/GSO frames, hitting
> > this code path).
>
> I guess this should use the same check as in IPv6 output, check
> whether IP6CB(skb)->max_frag_size is != 0 and > MTU and only send
> an ICMPv6 error in that case.
Hans have (already) proposed this solution:
if ((!skb->local_df && skb->len > mtu && !skb_is_gso(skb)) ||
(IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)) {
And I have tested it works.
But I'm not sure about, if we really need the "!skb->local_df" check ?
Thus, we should extend you patchset with a patch, that also address the
MTU checks in IPVS.
--
Best regards,
Jesper Dangaard Brouer
MSc.CS, Sr. Network Kernel Developer at Red Hat
Author of http://www.iptv-analyzer.org
LinkedIn: http://www.linkedin.com/in/brouer
next prev parent reply other threads:[~2012-08-27 10:14 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-09 20:08 [PATCH 00/19] netfilter: IPv6 NAT kaber
2012-08-09 20:08 ` [PATCH 01/19] netfilter: nf_ct_sip: fix helper name kaber
2012-08-14 0:00 ` Pablo Neira Ayuso
2012-08-09 20:08 ` [PATCH 02/19] netfilter: nf_ct_sip: fix IPv6 address parsing kaber
2012-08-14 0:19 ` Pablo Neira Ayuso
2012-08-09 20:08 ` [PATCH 03/19] netfilter: nf_nat_sip: fix via header translation with multiple parameters kaber
2012-08-14 0:28 ` Pablo Neira Ayuso
2012-08-14 12:23 ` Patrick McHardy
2012-08-09 20:08 ` [PATCH 04/19] ipv4: fix path MTU discovery with connection tracking kaber
2012-08-09 20:08 ` [PATCH 05/19] netfilter: nf_conntrack_ipv6: improve fragmentation handling kaber
2012-08-17 8:06 ` Jesper Dangaard Brouer
2012-08-18 12:26 ` Patrick McHardy
2012-08-19 19:37 ` Jesper Dangaard Brouer
2012-08-19 19:44 ` Patrick McHardy
2012-08-20 13:13 ` Jesper Dangaard Brouer
2012-08-22 22:21 ` Patrick McHardy
2012-08-21 22:21 ` Jesper Dangaard Brouer
2012-08-26 21:20 ` Patrick McHardy
2012-08-27 10:13 ` Jesper Dangaard Brouer [this message]
2012-08-27 10:41 ` Patrick McHardy
2012-08-27 14:40 ` [PATCH 0/2] net: ipvs and netfilter IPv6 defrag MTU handling Jesper Dangaard Brouer
2012-08-27 14:40 ` [PATCH 1/2] ipvs: IPv6 MTU checking cleanup and bugfix Jesper Dangaard Brouer
2012-08-27 14:42 ` [PATCH 2/2] ipvs: Extend MTU check to account for IPv6 NAT defrag changes Jesper Dangaard Brouer
2012-08-27 15:20 ` Julian Anastasov
2012-08-28 8:22 ` Patrick McHardy
2012-08-28 8:28 ` Simon Horman
2012-08-28 14:21 ` [PATCH V2 0/2] net: ipvs and netfilter IPv6 defrag MTU handling Jesper Dangaard Brouer
2012-08-28 14:22 ` [PATCH V2 1/2] ipvs: IPv6 MTU checking cleanup and bugfix Jesper Dangaard Brouer
2012-08-28 20:08 ` Patrick McHardy
2012-08-28 14:23 ` [PATCH V2 2/2] ipvs: Extend MTU check to account for IPv6 NAT defrag changes Jesper Dangaard Brouer
2012-08-28 14:49 ` Eric Dumazet
2012-08-29 7:02 ` Jesper Dangaard Brouer
2012-08-29 8:43 ` Eric Dumazet
2012-08-29 9:04 ` Jesper Dangaard Brouer
2012-08-28 20:10 ` Patrick McHardy
2012-08-28 9:03 ` [PATCH " Jesper Dangaard Brouer
2012-08-28 9:47 ` Julian Anastasov
2012-08-17 13:36 ` [PATCH 05/19] netfilter: nf_conntrack_ipv6: improve fragmentation handling Pablo Neira Ayuso
2012-08-18 12:43 ` Patrick McHardy
2012-08-09 20:08 ` [PATCH 06/19] netfilter: nf_conntrack_ipv6: fix tracking of ICMPv6 error messages containing fragments kaber
2012-08-09 20:08 ` [PATCH 07/19] netfilter: nf_conntrack: restrict NAT helper invocation to IPv4 kaber
2012-08-09 20:08 ` [PATCH 08/19] netfilter: nf_nat: add protoff argument to packet mangling functions kaber
2012-08-09 20:08 ` [PATCH 09/19] netfilter: add protocol independant NAT core kaber
2012-08-09 20:08 ` [PATCH 10/19] netfilter: ipv6: expand skb head in ip6_route_me_harder after oif change kaber
2012-08-09 20:08 ` [PATCH 11/19] net: core: add function for incremental IPv6 pseudo header checksum updates kaber
2012-08-09 20:08 ` [PATCH 12/19] netfilter: ipv6: add IPv6 NAT support kaber
2012-08-09 20:08 ` [PATCH 13/19] netfilter: ip6tables: add MASQUERADE target kaber
2012-08-17 13:11 ` Pablo Neira Ayuso
2012-08-18 12:31 ` Patrick McHardy
2012-08-09 20:08 ` [PATCH 14/19] netfilter: ip6tables: add REDIRECT target kaber
2012-08-09 20:08 ` [PATCH 15/19] netfilter: ip6tables: add NETMAP target kaber
2012-08-09 20:09 ` [PATCH 16/19] netfilter: nf_nat: support IPv6 in FTP NAT helper kaber
2012-08-09 20:09 ` [PATCH 17/19] netfilter: nf_nat: support IPv6 in amanda " kaber
2012-08-09 20:09 ` [PATCH 18/19] netfilter: nf_nat: support IPv6 in SIP " kaber
2012-08-09 20:09 ` [PATCH 19/19] netfilter: ip6tables: add stateless IPv6-to-IPv6 Network Prefix Translation target kaber
2012-08-09 21:55 ` Jan Engelhardt
2012-08-09 22:25 ` Patrick McHardy
2012-08-09 20:56 ` [PATCH 00/19] netfilter: IPv6 NAT Eric W. Biederman
2012-08-09 21:52 ` Patrick McHardy
2012-08-09 22:00 ` Pablo Neira Ayuso
2012-08-09 22:30 ` Patrick McHardy
2012-08-17 13:42 ` Pablo Neira Ayuso
2012-08-18 12:46 ` Patrick McHardy
2012-08-25 0:58 ` Andre Tomt
2012-08-25 1:16 ` Andre Tomt
2012-08-26 18:06 ` Patrick McHardy
2012-08-27 7:33 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1346062428.3069.398.camel@localhost \
--to=brouer@redhat.com \
--cc=hans.schillstrom@ericsson.com \
--cc=hans@schillstrom.com \
--cc=ja@ssi.bg \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.