From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: hannes@stressinduktion.org
Subject: [PATCH -next, V3 0/2] net: force refragmentation for DF reassembed skbs
Date: Fri, 22 May 2015 16:32:49 +0200 [thread overview]
Message-ID: <1432305171-21932-1-git-send-email-fw@strlen.de> (raw)
output path tests:
if (skb->len > mtu) ip_fragment()
This breaks connectivity in one corner case:
If the skb was reassembled, but has the DF bit set and ..
.. its reassembled size is <= outdev mtu ..
.. we will forward a DF packet larger than what the sender
transmitted on wire.
If a router later in the path can't forward this packet, it will send an
icmp error in response to an mtu that the original sender never exceeded.
This changes ipv4 defrag/output path to
a) force refragmentation for DF reassembled skbs and
b) set DF bit on all fragments when refragmenting if it was set on original
frags.
tested via:
#!/usr/bin/python
from scapy.all import *
dip="10.23.42.2"
payload="A"*1400
packet=IP(dst=dip,id=12345,flags='DF')/UDP(sport=42,dport=42)/payload
frags=fragment(packet,fragsize=1200)
for fragment in frags:
send(fragment)
Without this patch, we generate fragments without df bit set based
on the outgoing device mtu when fragmenting after forwarding, ie.
IP (ttl 64, id 12345, offset 0, flags [+, DF], proto UDP (17), length 1204)
192.168.7.1.42 > 10.23.42.2.42: UDP, length 1400
IP (ttl 64, id 12345, offset 1184, flags [DF], proto UDP (17), length 244)
192.168.7.1 > 10.23.42.2: ip-proto-17
on ingress will either turn into
IP (ttl 63, id 12345, offset 0, flags [+], proto UDP (17), length 1396)
192.168.7.1.42 > 10.23.42.2.42: UDP, length 1400
IP (ttl 63, id 12345, offset 1376, flags [none], proto UDP (17), length 52)
(mtu 1400: We strip df and send larger fragment), or
IP (ttl 63, id 12345, offset 0, flags [DF], proto UDP (17), length 1428)
192.168.7.1.42 > 10.23.42.2.42: [udp sum ok] UDP, length 1400
if mtu is 1500. And in this case things break; router with a smaller mtu
will send icmp error, but original sender only sent packets <= 1204 byte.
With patch, we keep intent of such fragments and will emit DF-fragments
that won't exceed 1204 byte in size.
Joint work with Hannes Frederic Sowa.
Changes since v2:
- split unrelated patches from series
- rework changelog of patch #2 to better illustrate breakage
next reply other threads:[~2015-05-22 14:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-22 14:32 Florian Westphal [this message]
2015-05-22 14:32 ` [PATCH -next 1/2] net: ipv4: avoid repeated calls to ip_skb_dst_mtu helper Florian Westphal
2015-05-22 14:43 ` Hannes Frederic Sowa
2015-05-22 14:32 ` [PATCH -next 2/2] ip_fragment: don't forward defragmented DF packet Florian Westphal
2015-05-22 14:45 ` Hannes Frederic Sowa
2015-05-22 19:03 ` [PATCH -next, V3 0/2] net: force refragmentation for DF reassembed skbs David Miller
2015-05-22 19:26 ` Florian Westphal
2015-05-26 9:57 ` Maxime Bizon
2015-05-26 14:50 ` Florian Westphal
2015-05-22 22:52 ` Hannes Frederic Sowa
2015-05-27 17:04 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1432305171-21932-1-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).