[PATCH 2.6.23-rc1][NETFILTER] nf_conntrack_reasm: adding icmpv6_send code(TIME EXCEEDED).

[PATCH 2.6.23-rc1][NETFILTER] nf_conntrack_reasm: adding icmpv6_send code(TIME EXCEEDED).

[Masayuki Nakagawa]

I ran the TAHI conformance test on a kernel, which CONFIG_NF_CONNTRACK_IPV6
is enabled. And then it showed a result including a couple of failure.
The all of failed items are related to TIME EXCEEDED.

The test procedure is here.
  Tester                      Target
    |                           |
    |-------------------------->|
    |       Echo Request        |
    |      (1st fragment)       |
    |                           |
    |      wait for 65 sec.     |
    |                           |
    |<--------------------------|
    |        ICMPv6 Error       |

(1) Tester sends a first fragment of ICMPv6 echo request to Target.
(2) Wait for over 60 sec.
(3) If target replies a ICMPv6 error message(Time Exceeded) to Tester,
    then this test is success, otherwise it's failure.

The reason of the failure is very simple, it's because icmpv6_send code are
missing in nf_ct_frag6_expire function(nf_conntrack_reasm.c).
The change is to add the missing code.

In RFC2460, the specification regarding Time Exceeded is described,
but it's defined as "should". So, there is no specification violation here.
Therefore I'm not sure whether this change is appropriate or not.

I will appreciate any comments. Thanks.

Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>

Index: linux-2.6/net/ipv6/netfilter/nf_conntrack_reasm.c
===================================================================
--- linux-2.6.orig/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ linux-2.6/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -76,6 +76,7 @@ struct nf_ct_frag6_queue
 	struct sk_buff		*fragments;
 	int			len;
 	int			meat;
+	int			iif;
 	ktime_t			stamp;
 	unsigned int		csum;
 	__u8			last_in;	/* has first/last segment arrived? */
@@ -279,6 +280,7 @@ static void nf_ct_frag6_evictor(void)
 static void nf_ct_frag6_expire(unsigned long data)
 {
 	struct nf_ct_frag6_queue *fq = (struct nf_ct_frag6_queue *) data;
+	struct net_device *dev = NULL;

 	spin_lock(&fq->lock);

@@ -287,7 +289,26 @@ static void nf_ct_frag6_expire(unsigned

 	fq_kill(fq);

+	dev = dev_get_by_index(fq->iif);
+	if (!dev)
+		goto out;
+
+	/* Don't send error if the first segment did not arrive. */
+	if (!(fq->last_in&FIRST_IN) || !fq->fragments)
+		goto out;
+
+	/*
+	   But use as source device on which LAST ARRIVED
+	   segment was received. And do not use fq->dev
+	   pointer directly, device might already disappeared.
+	 */
+	fq->fragments->dev = dev;
+	icmpv6_send(fq->fragments, ICMPV6_TIME_EXCEED, ICMPV6_EXC_FRAGTIME, 0, dev);
+
 out:
+	if (dev)
+		dev_put(dev);
+
 	spin_unlock(&fq->lock);
 	fq_put(fq, NULL);
 }
@@ -534,6 +555,9 @@ static int nf_ct_frag6_queue(struct nf_c
 	else
 		fq->fragments = skb;

+	if (skb->dev)
+		fq->iif = skb->dev->ifindex;
+
 	skb->dev = NULL;
 	fq->stamp = skb->tstamp;
 	fq->meat += skb->len;

Re: [PATCH 2.6.23-rc1][NETFILTER] nf_conntrack_reasm: adding icmpv6_send code(TIME EXCEEDED).

[David Miller]

Please make sure to CC: netfilter patches to
netfilter-devel@lists.netfilter.org and kaber@trash.net as is listed
in the linux/MAINTAINERS file.

Thank you.

Re: [PATCH 2.6.23-rc1][NETFILTER] nf_conntrack_reasm: adding icmpv6_send code(TIME EXCEEDED).

[Yasuyuki KOZAKAI]

Hi,

From: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
Date: Wed, 01 Aug 2007 19:53:20 -0700

> I ran the TAHI conformance test on a kernel, which CONFIG_NF_CONNTRACK_IPV6
> is enabled. And then it showed a result including a couple of failure.
> The all of failed items are related to TIME EXCEEDED.
> 
> The test procedure is here.
>   Tester                      Target
>     |                           |
>     |-------------------------->|
>     |       Echo Request        |
>     |      (1st fragment)       |
>     |                           |
>     |      wait for 65 sec.     |
>     |                           |
>     |<--------------------------|
>     |        ICMPv6 Error       |
> 
> (1) Tester sends a first fragment of ICMPv6 echo request to Target.
> (2) Wait for over 60 sec.
> (3) If target replies a ICMPv6 error message(Time Exceeded) to Tester,
>     then this test is success, otherwise it's failure.
> 
> The reason of the failure is very simple, it's because icmpv6_send code are
> missing in nf_ct_frag6_expire function(nf_conntrack_reasm.c).
> The change is to add the missing code.
> 
> In RFC2460, the specification regarding Time Exceeded is described,
> but it's defined as "should". So, there is no specification violation here.
> Therefore I'm not sure whether this change is appropriate or not.
> 
> I will appreciate any comments. Thanks.

Main usage of nf_conntrack_ipv6 is for firewall today. I think that silently
sending error is not preferable. Moreover, RFC2460 says

  4.5  Fragment Header

   The Fragment header is used by an IPv6 source to send a packet larger
   than would fit in the path MTU to its destination.  (Note: unlike
   IPv4, fragmentation in IPv6 is performed only by source nodes, not by
   routers along a packet's delivery path -- see section 5.)  

This means that IPv6 router doesn't send Too Big error for forwarded
packets.

At least it's better to be configurable if people want to do that.
Second idea is to pass such fragments to next network processing instead of
dropping them. But I'm not sure that it is possible.

-- Yasuyuki Kozakai