net: ip: push gso skb forwarding handling down the stack

Doing the segmentation in the forward path has one major drawback: When using virtio, we may process gso udp packets coming from host network stack. In that case, netfilter POSTROUTING will see one packet with udp header followed by multiple ip fragments. Delay the segmentation and do it after POSTROUTING invocation to avoid this. Fixes: fe6cc55f3a9 ("net: ip, ipv6: handle gso skbs in forwarding path") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Florian Westphal <fw@strlen.de> 2014-05-05 09:00:43 -0400
committer: David S. Miller <davem@davemloft.net> 2014-05-07 15:49:07 -0400
commit: c7ba65d7b64984ff371cb5630b36af23506c50d5 (patch)
tree: e86e1e97d344ddad515a81e6003b6ed330176d6e
parent: 418a31561d594a2b636c1e2fa94ecd9e1245abb1 (diff)
2 files changed, 48 insertions, 53 deletions
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index c29ae8371e44..6f111e48e11c 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -56,53 +56,6 @@ static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
        return true;
 }
-static bool ip_gso_exceeds_dst_mtu(const struct sk_buff *skb)
-{
-        unsigned int mtu;
-        if (skb->local_df || !skb_is_gso(skb))
-                return false;
-        mtu = ip_dst_mtu_maybe_forward(skb_dst(skb), true);
-        /* if seglen > mtu, do software segmentation for IP fragmentation on
-         * output.  DF bit cannot be set since ip_forward would have sent
-         * icmp error.
-         */
-        return skb_gso_network_seglen(skb) > mtu;
-}
-/* called if GSO skb needs to be fragmented on forward */
-static int ip_forward_finish_gso(struct sk_buff *skb)
-{
-        struct dst_entry *dst = skb_dst(skb);
-        netdev_features_t features;
-        struct sk_buff *segs;
-        int ret = 0;
-        features = netif_skb_dev_features(skb, dst->dev);
-        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
-        if (IS_ERR(segs)) {
-                kfree_skb(skb);
-                return -ENOMEM;
-        }
-        consume_skb(skb);
-        do {
-                struct sk_buff *nskb = segs->next;
-                int err;
-                segs->next = NULL;
-                err = dst_output(segs);
-                if (err && ret == 0)
-                        ret = err;
-                segs = nskb;
-        } while (segs);
-        return ret;
-}
 static int ip_forward_finish(struct sk_buff *skb)
 {
@@ -114,9 +67,6 @@ static int ip_forward_finish(struct sk_buff *skb)
        if (unlikely(opt->optlen))
                ip_forward_options(skb);
-        if (ip_gso_exceeds_dst_mtu(skb))
-                return ip_forward_finish_gso(skb);
        return dst_output(skb);
 }
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 1cbeba5edff9..a52f50187b54 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -211,6 +211,48 @@ static inline int ip_finish_output2(struct sk_buff *skb)
        return -EINVAL;
 }
+static int ip_finish_output_gso(struct sk_buff *skb)
+{
+        netdev_features_t features;
+        struct sk_buff *segs;
+        int ret = 0;
+        /* common case: locally created skb or seglen is <= mtu */
+        if (((IPCB(skb)->flags & IPSKB_FORWARDED) == 0) ||
+              skb_gso_network_seglen(skb) <= ip_skb_dst_mtu(skb))
+                return ip_finish_output2(skb);
+        /* Slowpath -  GSO segment length is exceeding the dst MTU.
+         *
+         * This can happen in two cases:
+         * 1) TCP GRO packet, DF bit not set
+         * 2) skb arrived via virtio-net, we thus get TSO/GSO skbs directly
+         * from host network stack.
+         */
+        features = netif_skb_features(skb);
+        segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
+        if (IS_ERR(segs)) {
+                kfree_skb(skb);
+                return -ENOMEM;
+        }
+        consume_skb(skb);
+        do {
+                struct sk_buff *nskb = segs->next;
+                int err;
+                segs->next = NULL;
+                err = ip_fragment(segs, ip_finish_output2);
+                if (err && ret == 0)
+                        ret = err;
+                segs = nskb;
+        } while (segs);
+        return ret;
+}
 static int ip_finish_output(struct sk_buff *skb)
 {
 #if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
@@ -220,10 +262,13 @@ static int ip_finish_output(struct sk_buff *skb)
                return dst_output(skb);
        }
 #endif
-        if (skb->len > ip_skb_dst_mtu(skb) && !skb_is_gso(skb))
+        if (skb_is_gso(skb))
+                return ip_finish_output_gso(skb);
+        if (skb->len > ip_skb_dst_mtu(skb))
                return ip_fragment(skb, ip_finish_output2);
-        else
-                return ip_finish_output2(skb);
+        return ip_finish_output2(skb);
 }
 int ip_mc_output(struct sock *sk, struct sk_buff *skb)
author	Florian Westphal <fw@strlen.de>	2014-05-05 09:00:43 -0400
committer	David S. Miller <davem@davemloft.net>	2014-05-07 15:49:07 -0400
commit	c7ba65d7b64984ff371cb5630b36af23506c50d5 (patch)
tree	e86e1e97d344ddad515a81e6003b6ed330176d6e
parent	418a31561d594a2b636c1e2fa94ecd9e1245abb1 (diff)

diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c index c29ae8371e44..6f111e48e11c 100644 --- a/net/ipv4/ip_forward.c +++ b/net/ipv4/ip_forward.c
@@ -56,53 +56,6 @@ static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
56	return true;	56	return true;
57	}	57	}
58		58
59	static bool ip_gso_exceeds_dst_mtu(const struct sk_buff *skb)
60	{
61	unsigned int mtu;
62
63	if (skb->local_df \|\| !skb_is_gso(skb))
64	return false;
65
66	mtu = ip_dst_mtu_maybe_forward(skb_dst(skb), true);
67
68	/* if seglen > mtu, do software segmentation for IP fragmentation on
69	* output. DF bit cannot be set since ip_forward would have sent
70	* icmp error.
71	*/
72	return skb_gso_network_seglen(skb) > mtu;
73	}
74
75	/* called if GSO skb needs to be fragmented on forward */
76	static int ip_forward_finish_gso(struct sk_buff *skb)
77	{
78	struct dst_entry *dst = skb_dst(skb);
79	netdev_features_t features;
80	struct sk_buff *segs;
81	int ret = 0;
82
83	features = netif_skb_dev_features(skb, dst->dev);
84	segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
85	if (IS_ERR(segs)) {
86	kfree_skb(skb);
87	return -ENOMEM;
88	}
89
90	consume_skb(skb);
91
92	do {
93	struct sk_buff *nskb = segs->next;
94	int err;
95
96	segs->next = NULL;
97	err = dst_output(segs);
98
99	if (err && ret == 0)
100	ret = err;
101	segs = nskb;
102	} while (segs);
103
104	return ret;
105	}
106		59
107	static int ip_forward_finish(struct sk_buff *skb)	60	static int ip_forward_finish(struct sk_buff *skb)
108	{	61	{
@@ -114,9 +67,6 @@ static int ip_forward_finish(struct sk_buff *skb)
114	if (unlikely(opt->optlen))	67	if (unlikely(opt->optlen))
115	ip_forward_options(skb);	68	ip_forward_options(skb);
116		69
117	if (ip_gso_exceeds_dst_mtu(skb))
118	return ip_forward_finish_gso(skb);
119
120	return dst_output(skb);	70	return dst_output(skb);
121	}	71	}
122		72


diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 1cbeba5edff9..a52f50187b54 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_output.c
@@ -211,6 +211,48 @@ static inline int ip_finish_output2(struct sk_buff *skb)
211	return -EINVAL;	211	return -EINVAL;
212	}	212	}
213		213
		214	static int ip_finish_output_gso(struct sk_buff *skb)
		215	{
		216	netdev_features_t features;
		217	struct sk_buff *segs;
		218	int ret = 0;
		219
		220	/* common case: locally created skb or seglen is <= mtu */
		221	if (((IPCB(skb)->flags & IPSKB_FORWARDED) == 0) \|\|
		222	skb_gso_network_seglen(skb) <= ip_skb_dst_mtu(skb))
		223	return ip_finish_output2(skb);
		224
		225	/* Slowpath - GSO segment length is exceeding the dst MTU.
		226	*
		227	* This can happen in two cases:
		228	* 1) TCP GRO packet, DF bit not set
		229	* 2) skb arrived via virtio-net, we thus get TSO/GSO skbs directly
		230	* from host network stack.
		231	*/
		232	features = netif_skb_features(skb);
		233	segs = skb_gso_segment(skb, features & ~NETIF_F_GSO_MASK);
		234	if (IS_ERR(segs)) {
		235	kfree_skb(skb);
		236	return -ENOMEM;
		237	}
		238
		239	consume_skb(skb);
		240
		241	do {
		242	struct sk_buff *nskb = segs->next;
		243	int err;
		244
		245	segs->next = NULL;
		246	err = ip_fragment(segs, ip_finish_output2);
		247
		248	if (err && ret == 0)
		249	ret = err;
		250	segs = nskb;
		251	} while (segs);
		252
		253	return ret;
		254	}
		255
214	static int ip_finish_output(struct sk_buff *skb)	256	static int ip_finish_output(struct sk_buff *skb)
215	{	257	{
216	#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)	258	#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
@@ -220,10 +262,13 @@ static int ip_finish_output(struct sk_buff *skb)
220	return dst_output(skb);	262	return dst_output(skb);
221	}	263	}
222	#endif	264	#endif
223	if (skb->len > ip_skb_dst_mtu(skb) && !skb_is_gso(skb))	265	if (skb_is_gso(skb))
		266	return ip_finish_output_gso(skb);
		267
		268	if (skb->len > ip_skb_dst_mtu(skb))
224	return ip_fragment(skb, ip_finish_output2);	269	return ip_fragment(skb, ip_finish_output2);
225	else	270
226	return ip_finish_output2(skb);	271	return ip_finish_output2(skb);
227	}	272	}
228		273
229	int ip_mc_output(struct sock sk, struct sk_buff skb)	274	int ip_mc_output(struct sock sk, struct sk_buff skb)