From: Herbert Xu <herbert@gondor.apana.org.au>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, bsd@redhat.com,
stephen@networkplumber.org, netdev@cger.kernel.org,
eric.dumazet@gmail.com, davidn@davidnewall.com,
Bandan Das <bandan.das@stratus.com>
Subject: Re: [PATCH nf next 0/3] bridge: netfilter: fix handling of ipv4 packets w. options
Date: Sat, 4 Oct 2014 11:56:06 +0800 [thread overview]
Message-ID: <20141004035606.GA8228@gondor.apana.org.au> (raw)
In-Reply-To: <1412384670-17794-1-git-send-email-fw@strlen.de>
On Sat, Oct 04, 2014 at 03:04:27AM +0200, Florian Westphal wrote:
> David Newall reported that bridge causes bad checksums:
> http://thread.gmane.org/gmane.linux.network/315705/focus=1706769
>
> The proposal was to revert
> 462fb2af9788a82a5 (bridge : Sanitize skb before it enters the IP stack).
>
> However, this has some other adverse effects since bridge netfilter
> and ip stack both use skb->cb (and we thus memset skb->cb whenever
> we hand skb off to the ip stack).
>
> So, this series attemps to resolve this a bit differently.
>
> First, lets add the inet_param padding that Eric suggested previously.
> This means that any earlier setup of IPCB will be preserved inside the
> bridge layer.
>
> This is also useful for netfilter since it will preserve
> IPCB(skb)->frag_max_size set up by ip defrag.
>
> Second, this gets rid of the option parsing/memset calls in
> to forward and output cases.
>
> Third, the pre-routing path is changed to not mangle the packets
> but to only validate the ip options.
>
> This patch series is vs. next instead of net/nf tree.
>
> This has been broken for so long that I don't think we need
> to rush this.
I'm unsure whether this is the right approach. So if I understand
this correctly your problem is coming from packets that are
IP stack => bridge => IP stack
in which case preserving IP options may work.
But does your patch handle packets that are
external => bridge => IP stack
The reason I asked for the IPCB to be built is to handle exactly
that case.
In fact, even preserving IPCB in the IP stack reentry case is
a hack since if we ever change the IP stack in future such that
on exit the IPCB is no longer valid for reentry your approach
will fail.
Now as to your original problem that ip_options_compile mangles
the packet this is something I explicitly said we should fix
before we added br_parse_ip_options (point 2 in that email):
https://lkml.org/lkml/2010/9/3/16
Unfortunately it looks like nobody actually did the audit.
So my suggestion would be to fix br_parse_ip_options so that
it never mangles the packet.
Does this fix your problem or are there other issues that I
have overlooked?
Thanks,
--
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
next prev parent reply other threads:[~2014-10-04 3:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-04 1:04 [PATCH nf next 0/3] bridge: netfilter: fix handling of ipv4 packets w. options Florian Westphal
2014-10-04 1:04 ` [PATCH nf next 1/3] bridge: prepend inet_skb_param dummy to bridge cb Florian Westphal
2014-10-04 1:04 ` [PATCH nf next 2/3] netfilter: bridge: don't parse ip headers in fwd and output path Florian Westphal
2014-10-04 1:04 ` [PATCH nf-next 3/3] netfilter: bridge: don't mangle ipv4 header options Florian Westphal
2014-10-04 3:56 ` Herbert Xu [this message]
2014-10-04 10:04 ` [PATCH nf next 0/3] bridge: netfilter: fix handling of ipv4 packets w. options Florian Westphal
2014-10-04 13:55 ` Herbert Xu
2014-10-04 14:18 ` bridge: Do not compile options in br_parse_ip_options Herbert Xu
2014-10-04 18:06 ` Florian Westphal
2014-10-05 3:53 ` bridge: Respect call-iptables sysctls everywhere Herbert Xu
2014-10-05 4:00 ` bridge: Save frag_max_size between PRE_ROUTING and POST_ROUTING Herbert Xu
2014-10-07 19:13 ` David Miller
2014-10-05 9:13 ` bridge: Respect call-iptables sysctls everywhere Florian Westphal
2014-10-05 10:18 ` Herbert Xu
2014-10-06 4:53 ` bridge: Do not compile options in br_parse_ip_options David Miller
2014-10-24 10:41 ` Florian Westphal
2014-10-24 12:28 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141004035606.GA8228@gondor.apana.org.au \
--to=herbert@gondor.apana.org.au \
--cc=bandan.das@stratus.com \
--cc=bsd@redhat.com \
--cc=davidn@davidnewall.com \
--cc=eric.dumazet@gmail.com \
--cc=fw@strlen.de \
--cc=netdev@cger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).