Re: bridge+netfilter broken for IP fragments in 2.6.16?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Thomas Zeitlhofer <thomas.zeitlhofer@nt.tuwien.ac.at>
Cc: netdev@vger.kernel.org,
	Netfilter Development Mailinglist
	<netfilter-devel@lists.netfilter.org>,
	linux-kernel@vger.kernel.org,
	Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: bridge+netfilter broken for IP fragments in 2.6.16?
Date: Mon, 03 Apr 2006 01:11:46 +0200	[thread overview]
Message-ID: <44305A32.1010109@trash.net> (raw)
In-Reply-To: <20060402225625.GA22612@swan.nt.tuwien.ac.at>

Thomas Zeitlhofer wrote:
> On Sun, Apr 02, 2006 at 09:19:30PM +0200, Patrick McHardy wrote:
> 
>>>Doing the same on 2.6.15.x shows:
>>>
>>>  1) on tap1: fragmented packets
>>>  2) on br0: the defragmented packet (connection tracking)
>>>  3) on eth1: fragmented packets
>>
>>Are you sure this is correct? I think in 2.6.15 you should see
>>the fragments on br0 already.
> 
> 
> Just verified it, at least in 2.6.15.6 tcpdump shows the defragmented
> packet on br0.

I'm probably missing something, but that still seems stange.
Are you also seeing the defragmented packet on br0 with my
patch?

>>Anyway, since 2.6.16 ip_conntrack doesn't do refragmentation anymore
>>but relies on fragmentation in the IP layer. Purely bridged packets
>>don't go through the IP layer, so the bridge netfilter code needs to
>>take care of fragmentation itself. Please try if this patch helps.
> 
> 
> Your patch solves the problem - tcpdump now shows the refragmented
> packets on eth1. Thanks for the quick solution.
> 
> Just a note, your patch does not work when bridge is compiled as a
> module. In this case modprobe failes with "bridge: Unknown symbol
> ip_fragment". Using CONFIG_BRIDGE=y works.

Thanks, I missed that the Makefile adds br_netfilter.o to
bridge-$(CONFIG_BRIDGE_NETFILTER), not obj-$(...).

WARNING: multiple messages have this Message-ID (diff)

From: Patrick McHardy <kaber@trash.net>
To: Thomas Zeitlhofer <thomas.zeitlhofer@nt.tuwien.ac.at>
Cc: linux-kernel@vger.kernel.org,
	Netfilter Development Mailinglist 
	<netfilter-devel@lists.netfilter.org>,
	netdev@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: bridge+netfilter broken for IP fragments in 2.6.16?
Date: Mon, 03 Apr 2006 01:11:46 +0200	[thread overview]
Message-ID: <44305A32.1010109@trash.net> (raw)
In-Reply-To: <20060402225625.GA22612@swan.nt.tuwien.ac.at>

Thomas Zeitlhofer wrote:
> On Sun, Apr 02, 2006 at 09:19:30PM +0200, Patrick McHardy wrote:
> 
>>>Doing the same on 2.6.15.x shows:
>>>
>>>  1) on tap1: fragmented packets
>>>  2) on br0: the defragmented packet (connection tracking)
>>>  3) on eth1: fragmented packets
>>
>>Are you sure this is correct? I think in 2.6.15 you should see
>>the fragments on br0 already.
> 
> 
> Just verified it, at least in 2.6.15.6 tcpdump shows the defragmented
> packet on br0.

I'm probably missing something, but that still seems stange.
Are you also seeing the defragmented packet on br0 with my
patch?

>>Anyway, since 2.6.16 ip_conntrack doesn't do refragmentation anymore
>>but relies on fragmentation in the IP layer. Purely bridged packets
>>don't go through the IP layer, so the bridge netfilter code needs to
>>take care of fragmentation itself. Please try if this patch helps.
> 
> 
> Your patch solves the problem - tcpdump now shows the refragmented
> packets on eth1. Thanks for the quick solution.
> 
> Just a note, your patch does not work when bridge is compiled as a
> module. In this case modprobe failes with "bridge: Unknown symbol
> ip_fragment". Using CONFIG_BRIDGE=y works.

Thanks, I missed that the Makefile adds br_netfilter.o to
bridge-$(CONFIG_BRIDGE_NETFILTER), not obj-$(...).

next prev parent reply	other threads:[~2006-04-02 23:11 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-04-01 14:30 bridge+netfilter broken for IP fragments in 2.6.16? Thomas Zeitlhofer
2006-04-02 19:19 ` Patrick McHardy
2006-04-02 22:56   ` Thomas Zeitlhofer
2006-04-02 23:11     ` Patrick McHardy [this message]
2006-04-02 23:11       ` Patrick McHardy
2006-04-02 23:36       ` Thomas Zeitlhofer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44305A32.1010109@trash.net \
    --to=kaber@trash.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=thomas.zeitlhofer@nt.tuwien.ac.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.