From: Florian Westphal <fw@strlen.de>
To: Joe Stringer <joestringer@nicira.com>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org,
Linux Netdev List <netdev@vger.kernel.org>,
Andy Zhou <azhou@nicira.com>
Subject: Re: [PATCH nf-next 0/4] netfilter: rework netfilter ipv6 defrag
Date: Tue, 20 Oct 2015 10:17:16 +0200 [thread overview]
Message-ID: <20151020081716.GH4386@breakpoint.cc> (raw)
In-Reply-To: <CANr6G5zvmj_tL5Pt6-70GQ4dTJXLewX9A4uMGC_0OFzXYQVdew@mail.gmail.com>
Joe Stringer <joestringer@nicira.com> wrote:
> On 17 October 2015 at 13:14, Florian Westphal <fw@strlen.de> wrote:
> > [ CC netdev since patch #2 isn't nf-specific. Dave, if you want
> > I can resubmit that one after the next nf-pull request; let me know if
> > you would prefer that ].
> >
> > Openvswitch seems broken wrt. to defragmentation, it doesn't call
> > nf_ct_frag6_consume_orig to free the original fragments.
>
> This will need to be fixed for 'net' as well, do you have a path in
> mind for that?
Good point. No, I don't. Any suggestions?
I can try to just re-target -nf tree (sans patch #2). Pablo?
ipv4 side seems broken as well (ip_defrag frees skb on errors other than
-EINPROGRESS, so it looks like we will double-free in
do_execute_actions)
> Patch 3 when taken independently from patch 4 hides user-visible error
> codes on the OVS side. The OVS conntrack action hides -EINPROGRESS
> from userspace, treating it as a successful execution. All other
> errors are returned up. With that patch, all errors will be hidden. I
> see that it's fixed in Patch 4, so maybe it's not a biggie but those
> two patches should be tightly coupled.
You're right, we can't signal "skb unchanged". I guess one could
just test wheter skb is a fragment and -EINVAL if it is, not sure
if its worth doing given that such test would be removed again
by the very next patch?
next prev parent reply other threads:[~2015-10-20 8:17 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-17 20:14 [PATCH nf-next 0/4] netfilter: rework netfilter ipv6 defrag Florian Westphal
2015-10-17 20:14 ` [PATCH nf-next 1/4] netfilter: ipv6: remove extra clone/free operations Florian Westphal
2015-10-17 20:14 ` [PATCH nf-next 2/4] inet: kill obsolete skb_free op Florian Westphal
2015-10-17 20:14 ` [PATCH nf-next 3/4] netfilter: ipv6: in-place replacement of last skb Florian Westphal
2015-10-20 18:39 ` Joe Stringer
2015-10-20 20:46 ` Florian Westphal
2015-10-17 20:14 ` [PATCH nf-next 4/4] netfilter: ipv6: avoid nf_iterate recursion Florian Westphal
2015-10-20 6:25 ` Joe Stringer
2015-10-20 8:18 ` Florian Westphal
2015-10-20 6:16 ` [PATCH nf-next 0/4] netfilter: rework netfilter ipv6 defrag Joe Stringer
2015-10-20 8:17 ` Florian Westphal [this message]
2015-10-20 18:43 ` Joe Stringer
2015-10-20 20:53 ` Florian Westphal
2015-10-20 23:59 ` Joe Stringer
2015-10-21 12:42 ` Pablo Neira Ayuso
2015-10-21 14:50 ` Florian Westphal
2015-10-21 16:52 ` Joe Stringer
2015-10-21 14:34 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151020081716.GH4386@breakpoint.cc \
--to=fw@strlen.de \
--cc=azhou@nicira.com \
--cc=joestringer@nicira.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.