[Bridge] Forwarding large fragmented IPv6 packets broken by nf_defrag_ipv6

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Michał Kępień" <michal.kepien@nask.pl>
To: bridge@lists.linux-foundation.org
Subject: [Bridge] Forwarding large fragmented IPv6 packets broken by nf_defrag_ipv6
Date: Mon, 22 Sep 2014 09:14:59 +0200	[thread overview]
Message-ID: <541FCC73.7030208@nask.pl> (raw)

Greetings,

I have found an interoperability issue between two kernel modules:
bridge and nf_defrag_ipv6. After analyzing the issue, I decided to post
to this list first, assuming it would be more appropriate. However, if
this should be reported to another party, please let me know and I'll be
happy to follow your guidelines.

I believe kernel commit 6aafeef broke forwarding of large fragmented
IPv6 packets through a bridge when conntrack is enabled. That commit,
when nf_defrag_ipv6 is loaded, causes br_dev_queue_push_xmit() to
receive a "reassembled SKB" containing a list of fragments, instead of
fragment SKBs themselves. That in turn causes the is_skb_forwardable()
call to return false as it compares the reassembled packet size to the
destination MTU. If the former is larger, the packet is silently
dropped, even though it has been marked as ACCEPTed in ip6tables.

If the above description is unclear, please let me know and I'll
describe an example setup which would demonstrate the issue. I came
across this problem after putting a DNSSEC-enabled DNS server behind a
transparent firewall running Linux and querying for records which
generate large UDP responses.

-- 
Best regards,
Michał Kępień

                 reply	other threads:[~2014-09-22  7:14 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=541FCC73.7030208@nask.pl \
    --to=michal.kepien@nask.pl \
    --cc=bridge@lists.linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.