From: Florian Westphal <fw@strlen.de>
To: Bernhard Thaler <bernhard.thaler@wvnet.at>
Cc: pablo@netfilter.org, kadlec@blackhole.kfki.hu,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCHv3 1/1] bridge: forward IPv6 fragmented packets when passing netfilter
Date: Tue, 27 Jan 2015 10:39:51 +0100 [thread overview]
Message-ID: <20150127093951.GE1373@breakpoint.cc> (raw)
In-Reply-To: <1422321724-325-1-git-send-email-bernhard.thaler@wvnet.at>
Bernhard Thaler <bernhard.thaler@wvnet.at> wrote:
> modprobe br_netfilter
> brctl addbr br0
> brctl addif br0 eth0
> brctl addif br0 eth2
> ifconfig eth0 up
> ifconfig eth2 up
> ifconfig br0 up
>
> 2) place a host with an IPv6 address on each side of the bridge
>
> set IPv6 address on host A:
> ip -6 addr add fd01:2345:6789:1::1/64 dev eth0
>
> set IPv6 address on host B:
> ip -6 addr add fd01:2345:6789:1::2/64 dev eth0
>
> 3) run a simple ping command on host A with packets > MTU
>
> ping6 -s 4000 fd01:2345:6789:1::2
>
> 4) wait some time and run e.g. "ip6tables -t nat -nvL" on the bridge
>
> IPv6 fragmented packets traverse the bridge cleanly until "ip6tables -t nat -nvL"
> is run. As soon as it is run (and netfilter modules are loaded) IPv6 fragmented
> packets do not traverse the bridge any more (you see no more responses in ping's
> output).
>
> Patch exports ip6_fragment() in include/net/ipv6.h and net/ipv6/ip6_output.c
> to use it in net/bridge/br_netfilter.c's br_nf_dev_queue_xmit() for IPv6 packets
> that need to be fragmented.
I think this looks good, however afaics there is now a direct dependeny on
ipv6.ko module. I think it would be nice if we could avoid this.
There are 2 ways to do this,
a) add fragment to nf_ipv6_ops
or
b) add fragment to pingv6_ops in include/net/ping.h
Ideally, those two should be merged into a single one, say e.g. ipv6_ops,
exported by core and wired up when ipv6 module is present, but I don't
want to push this on you, so e.g. adding fragment to nf_ipv6_ops is
fine with me.
With indirect call we could avoid ip6_fragment dependency.
next prev parent reply other threads:[~2015-01-27 9:40 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-19 0:43 [PATCH 1/1] bridge: forward IPv6 fragmented packets when passing netfilter Bernhard Thaler
2015-01-20 17:28 ` Pablo Neira Ayuso
2015-01-22 23:27 ` [PATCHv2 " Bernhard Thaler
2015-01-22 23:49 ` Florian Westphal
2015-01-27 1:22 ` [PATCHv3 " Bernhard Thaler
2015-01-27 9:39 ` Florian Westphal [this message]
2015-01-27 23:15 ` [PATCHv4 RFC " Bernhard Thaler
2015-01-30 17:17 ` Pablo Neira Ayuso
2015-01-30 17:25 ` Pablo Neira Ayuso
2015-03-18 21:53 ` [PATCH 2/4] " Bernhard Thaler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150127093951.GE1373@breakpoint.cc \
--to=fw@strlen.de \
--cc=bernhard.thaler@wvnet.at \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.