* [Bridge] Forwarding large fragmented IPv6 packets broken by nf_defrag_ipv6
@ 2014-09-22 7:14 Michał Kępień
0 siblings, 0 replies; only message in thread
From: Michał Kępień @ 2014-09-22 7:14 UTC (permalink / raw)
To: bridge
Greetings,
I have found an interoperability issue between two kernel modules:
bridge and nf_defrag_ipv6. After analyzing the issue, I decided to post
to this list first, assuming it would be more appropriate. However, if
this should be reported to another party, please let me know and I'll be
happy to follow your guidelines.
I believe kernel commit 6aafeef broke forwarding of large fragmented
IPv6 packets through a bridge when conntrack is enabled. That commit,
when nf_defrag_ipv6 is loaded, causes br_dev_queue_push_xmit() to
receive a "reassembled SKB" containing a list of fragments, instead of
fragment SKBs themselves. That in turn causes the is_skb_forwardable()
call to return false as it compares the reassembled packet size to the
destination MTU. If the former is larger, the packet is silently
dropped, even though it has been marked as ACCEPTed in ip6tables.
If the above description is unclear, please let me know and I'll
describe an example setup which would demonstrate the issue. I came
across this problem after putting a DNSSEC-enabled DNS server behind a
transparent firewall running Linux and querying for records which
generate large UDP responses.
--
Best regards,
Michał Kępień
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-09-22 7:14 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-22 7:14 [Bridge] Forwarding large fragmented IPv6 packets broken by nf_defrag_ipv6 Michał Kępień
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.