From: Tom Hughes <tom@compton.nu>
To: Florian Westphal <fw@strlen.de>
Cc: pablo@netfilter.org, kadlec@netfilter.org,
netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: allow ipv6 fragments to arrive on different devices
Date: Tue, 6 Aug 2024 12:38:25 +0100 [thread overview]
Message-ID: <ccb00a3e-4f73-4354-a94a-920d7b29c9df@compton.nu> (raw)
In-Reply-To: <20240806112843.GB32447@breakpoint.cc>
On 06/08/2024 12:28, Florian Westphal wrote:
> Tom Hughes <tom@compton.nu> wrote:
>> Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device
>> for multicast and link-local packets") modified the ipv6 fragment
>> reassembly logic to distinguish frag queues by device for multicast
>> and link-local packets but in fact only the main reassembly code
>> limits the use of the device to those address types and the netfilter
>> reassembly code uses the device for all packets.
>>
>> This means that if fragments of a packet arrive on different interfaces
>> then netfilter will fail to reassemble them and the fragments will be
>> expired without going any further through the filters.
>>
>> Signed-off-by: Tom Hughes <tom@compton.nu>
>
> Probably:
> Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
>
> ?
>
> Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex
> for types other than mcast/linklocal.
Ah yes... I had found that change and knew it changed how the main
reassembly code implemented the exception but hadn't realised that
before that netfilter shared the comparison routine.
I'll update the patch to add that.
Tom
--
Tom Hughes (tom@compton.nu)
http://compton.nu/
next prev parent reply other threads:[~2024-08-06 11:38 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-06 10:57 [PATCH] netfilter: allow ipv6 fragments to arrive on different devices Tom Hughes
2024-08-06 11:28 ` Florian Westphal
2024-08-06 11:38 ` Tom Hughes [this message]
2024-08-06 11:40 ` [PATCH v2] " Tom Hughes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ccb00a3e-4f73-4354-a94a-920d7b29c9df@compton.nu \
--to=tom@compton.nu \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).