Re: [NFQUEUE] lack of UID/GID fields in fragmented packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Piotr Sawicki <piotr.sawicki@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [NFQUEUE] lack of UID/GID fields in fragmented packets
Date: Sat, 17 Jun 2017 22:23:20 +0200	[thread overview]
Message-ID: <20170617202320.GA28291@breakpoint.cc> (raw)
In-Reply-To: <oi3n2u$cs6$1@blaine.gmane.org>

Piotr Sawicki <piotr.sawicki@gmail.com> wrote:
> Everything works fine until I try to send huge packets. When the size of
> these packets is larger than MTU then the fragmentation occurs. I've
> observed that the first fragment has valid UID and GID fields, but the rest
> of the fragments do not include them.
> 
> I've found that the remedy for this concern is to set NFQA_CFG_F_GSO flag.

All users should set this flag.

We can't make it default because it breaks old applications
that can't deal with large (offload) packets.

> I've found that when the fragmentation procedure splits the packet into
> fragments, it keeps a valid sk only in the first fragment. Therefore, it is
> impossible to fetch valid UID and GID fields from the rest of the fragments.
> 
> Is it intended behavior, or is it a bug?

Neither.  UID code was added later, so this wasn't a problem.
I would suggest to just set F_GSO flag; it has no disadvantages.

     prev parent reply	other threads:[~2017-06-17 20:24 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-17 16:58 [NFQUEUE] lack of UID/GID fields in fragmented packets Piotr Sawicki
2017-06-17 20:23 ` Florian Westphal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170617202320.GA28291@breakpoint.cc \
    --to=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=piotr.sawicki@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.