From: Vasily Averin <vvs@parallels.com>
To: Vasily Averin <vvs@parallels.com>, Patrick McHardy <kaber@trash.net>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
bridge@lists.linux-foundation.org,
netfilter-devel@vger.kernel.org,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Bridge] [PATCH 1/1] superfluous skb->nfct check in br_nf_dev_queue_xmit
Date: Sun, 20 Apr 2014 09:33:41 +0400 [thread overview]
Message-ID: <53535C35.7070108@parallels.com> (raw)
In-Reply-To: <534FB7D2.3020705@parallels.com>
Please do not apply my patch, probably it breaks processing of VLAN packets.
Dear Patrick,
could you please explain why fragmentation of packets requires enabled
connection tracking?
During old patch discussion you told "everything related to fragmenting
is only needed with NF_CONNTRACK". However before adding (skb->nfct) check
bridge worked well with fragments, and I cannot understand what exactly in
ip_fragment should not work with disabled connection trackng.
From my point of view its better to drop packets in ip_fragment(),
where failcounters accounts these events instead silent dropping
in br_dev_queu_push_xmit().
So could you please explain, why we need to have skb->nfct check
in br_nf_dev_queue_xmit()?
Thank you,
Vasily Averin
On 04/17/2014 03:15 PM, Vasily Averin wrote:
> skb->nfct check in br_nf_dev_queue_xmit() does not work if conntracks
> are not loaded on the node. This check does not allow to fragment skb
> combined from incoming fragments, as results this skb will be dropped
> silently in br_dev_queue_push_xmit()
>
> This check was added in commit c197facc8ea08062f8f949aade6a33649ee06771
> netfilter: bridge: allow fragmentation of VLAN packets traversing a bridge
>
> I believe this check is superfluous and should be removed.
>
> Signed-off-by: Vasily Averin <vvs@openvz.org>
> ---
> net/bridge/br_netfilter.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
> index 80e1b0f..6a8407c 100644
> --- a/net/bridge/br_netfilter.c
> +++ b/net/bridge/br_netfilter.c
> @@ -864,7 +864,7 @@ static int br_nf_dev_queue_xmit(struct sk_buff *skb)
> {
> int ret;
>
> - if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
> + if (skb->protocol == htons(ETH_P_IP) &&
> skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
> !skb_is_gso(skb)) {
> if (br_parse_ip_options(skb))
>
next prev parent reply other threads:[~2014-04-20 5:33 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-17 11:15 [Bridge] [PATCH 1/1] superfluous skb->nfct check in br_nf_dev_queue_xmit Vasily Averin
2014-04-20 5:33 ` Vasily Averin [this message]
2014-04-24 17:05 ` Florian Westphal
2014-04-28 12:37 ` Vasily Averin
2014-04-28 13:16 ` Florian Westphal
2014-04-28 14:25 ` Vasily Averin
2014-04-28 14:32 ` Pablo Neira Ayuso
2014-04-30 9:06 ` Vasily Averin
2014-04-29 14:17 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53535C35.7070108@parallels.com \
--to=vvs@parallels.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).