From: Patrick McHardy <kaber@trash.net>
To: Vasily Averin <vvs@parallels.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
bridge@lists.linux-foundation.org,
netfilter-devel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Bridge] [PATCH 1/1] superfluous skb->nfct check in br_nf_dev_queue_xmit
Date: Tue, 29 Apr 2014 14:17:27 -0000 [thread overview]
Message-ID: <20140429141032.GC12129@macbook.localnet> (raw)
In-Reply-To: <53535C35.7070108@parallels.com>
On Sun, Apr 20, 2014 at 09:33:41AM +0400, Vasily Averin wrote:
> Please do not apply my patch, probably it breaks processing of VLAN packets.
>
> Dear Patrick,
> could you please explain why fragmentation of packets requires enabled
> connection tracking?
It doesn't require connection tracking, but connection tracking is the
only reason why we should fragment here since connection tracking does
defragmentation.
> During old patch discussion you told "everything related to fragmenting
> is only needed with NF_CONNTRACK". However before adding (skb->nfct) check
> bridge worked well with fragments, and I cannot understand what exactly in
> ip_fragment should not work with disabled connection trackng.
A bridge should not fragment packets. This is only done to counter the
effects of connection tracking, hence we only do it if connection tracking
is enabled.
>
> >From my point of view its better to drop packets in ip_fragment(),
> where failcounters accounts these events instead silent dropping
> in br_dev_queu_push_xmit().
>
> So could you please explain, why we need to have skb->nfct check
> in br_nf_dev_queue_xmit()?
>
> Thank you,
> Vasily Averin
>
> On 04/17/2014 03:15 PM, Vasily Averin wrote:
> > skb->nfct check in br_nf_dev_queue_xmit() does not work if conntracks
> > are not loaded on the node. This check does not allow to fragment skb
> > combined from incoming fragments, as results this skb will be dropped
> > silently in br_dev_queue_push_xmit()
> >
> > This check was added in commit c197facc8ea08062f8f949aade6a33649ee06771
> > netfilter: bridge: allow fragmentation of VLAN packets traversing a bridge
> >
> > I believe this check is superfluous and should be removed.
> >
> > Signed-off-by: Vasily Averin <vvs@openvz.org>
> > ---
> > net/bridge/br_netfilter.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
> > index 80e1b0f..6a8407c 100644
> > --- a/net/bridge/br_netfilter.c
> > +++ b/net/bridge/br_netfilter.c
> > @@ -864,7 +864,7 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
> > {
> > int ret;
> >
> > - if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
> > + if (skb->protocol == htons(ETH_P_IP) &&
> > skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
> > !skb_is_gso(skb)) {
> > if (br_parse_ip_options(skb))
> >
WARNING: multiple messages have this Message-ID (diff)
From: Patrick McHardy <kaber@trash.net>
To: Vasily Averin <vvs@parallels.com>
Cc: bridge@lists.linux-foundation.org,
Stephen Hemminger <stephen@networkplumber.org>,
Saikiran Madugula <hummerbliss@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/1] superfluous skb->nfct check in br_nf_dev_queue_xmit
Date: Tue, 29 Apr 2014 15:10:34 +0100 [thread overview]
Message-ID: <20140429141032.GC12129@macbook.localnet> (raw)
In-Reply-To: <53535C35.7070108@parallels.com>
On Sun, Apr 20, 2014 at 09:33:41AM +0400, Vasily Averin wrote:
> Please do not apply my patch, probably it breaks processing of VLAN packets.
>
> Dear Patrick,
> could you please explain why fragmentation of packets requires enabled
> connection tracking?
It doesn't require connection tracking, but connection tracking is the
only reason why we should fragment here since connection tracking does
defragmentation.
> During old patch discussion you told "everything related to fragmenting
> is only needed with NF_CONNTRACK". However before adding (skb->nfct) check
> bridge worked well with fragments, and I cannot understand what exactly in
> ip_fragment should not work with disabled connection trackng.
A bridge should not fragment packets. This is only done to counter the
effects of connection tracking, hence we only do it if connection tracking
is enabled.
>
> >From my point of view its better to drop packets in ip_fragment(),
> where failcounters accounts these events instead silent dropping
> in br_dev_queu_push_xmit().
>
> So could you please explain, why we need to have skb->nfct check
> in br_nf_dev_queue_xmit()?
>
> Thank you,
> Vasily Averin
>
> On 04/17/2014 03:15 PM, Vasily Averin wrote:
> > skb->nfct check in br_nf_dev_queue_xmit() does not work if conntracks
> > are not loaded on the node. This check does not allow to fragment skb
> > combined from incoming fragments, as results this skb will be dropped
> > silently in br_dev_queue_push_xmit()
> >
> > This check was added in commit c197facc8ea08062f8f949aade6a33649ee06771
> > netfilter: bridge: allow fragmentation of VLAN packets traversing a bridge
> >
> > I believe this check is superfluous and should be removed.
> >
> > Signed-off-by: Vasily Averin <vvs@openvz.org>
> > ---
> > net/bridge/br_netfilter.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
> > index 80e1b0f..6a8407c 100644
> > --- a/net/bridge/br_netfilter.c
> > +++ b/net/bridge/br_netfilter.c
> > @@ -864,7 +864,7 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
> > {
> > int ret;
> >
> > - if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
> > + if (skb->protocol == htons(ETH_P_IP) &&
> > skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
> > !skb_is_gso(skb)) {
> > if (br_parse_ip_options(skb))
> >
next prev parent reply other threads:[~2014-04-29 14:17 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-17 11:15 [Bridge] [PATCH 1/1] superfluous skb->nfct check in br_nf_dev_queue_xmit Vasily Averin
2014-04-20 5:33 ` Vasily Averin
2014-04-20 5:33 ` Vasily Averin
2014-04-24 16:32 ` Florian Westphal
2014-04-24 17:05 ` [Bridge] " Florian Westphal
2014-04-28 12:37 ` Vasily Averin
2014-04-28 12:37 ` Vasily Averin
2014-04-28 13:16 ` Florian Westphal
2014-04-28 13:16 ` [Bridge] " Florian Westphal
2014-04-28 14:25 ` Vasily Averin
2014-04-28 14:25 ` Vasily Averin
2014-04-28 14:32 ` [Bridge] " Pablo Neira Ayuso
2014-04-28 14:32 ` Pablo Neira Ayuso
2014-04-30 9:06 ` [Bridge] " Vasily Averin
2014-04-30 9:06 ` Vasily Averin
2014-04-30 8:54 ` [PATCH] bridge: Superfluous " Vasily Averin
2014-04-30 9:39 ` Pablo Neira Ayuso
2014-04-30 10:02 ` Florian Westphal
2014-05-04 12:54 ` Pablo Neira Ayuso
2014-05-04 19:04 ` Vasily Averin
2014-05-04 19:25 ` Pablo Neira Ayuso
2014-05-04 20:17 ` [PATCH v2] bridge: superfluous " Vasily Averin
2014-05-05 14:07 ` Pablo Neira Ayuso
2014-04-29 14:10 ` Patrick McHardy [this message]
2014-04-29 14:17 ` [Bridge] [PATCH 1/1] " Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140429141032.GC12129@macbook.localnet \
--to=kaber@trash.net \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=stephen@networkplumber.org \
--cc=vvs@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.