netfilter: push reasm skb through instead of original frag skbs

[ Upstream commit 6aafeef03b9d9ecf255f3a80ed85ee070260e1ae ] Pushing original fragments through causes several problems. For example for matching, frags may not be matched correctly. Take following example: <example> On HOSTA do: ip6tables -I INPUT -p icmpv6 -j DROP ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT and on HOSTB you do: ping6 HOSTA -s2000 (MTU is 1500) Incoming echo requests will be filtered out on HOSTA. This issue does not occur with smaller packets than MTU (where fragmentation does not happen) </example> As was discussed previously, the only correct solution seems to be to use reassembled skb instead of separete frags. Doing this has positive side effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams dances in ipvs and conntrack can be removed. Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c entirely and use code in net/ipv6/reassembly.c instead. Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Jiri Pirko <jiri@resnulli.us> 2013-11-06 11:52:20 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-12-08 10:29:25 -0500
commit: fddd8b501c59c87d63a0917c8e9e14bd28e3c724 (patch)
tree: dd715845dc99cff34e5cc63fd7fc4afdbf5a3850 /include/net
parent: 2d9a30962d0310d33372c245a6191499a06409f3 (diff)
2 files changed, 2 insertions, 35 deletions
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 4c062ccff9aa..f0c13a386bf3 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -109,7 +109,6 @@ extern int ip_vs_conn_tab_size;
 struct ip_vs_iphdr {
        __u32 len;      /* IPv4 simply where L4 starts
                           IPv6 where L4 Transport Header starts */
-        __u32 thoff_reasm; /* Transport Header Offset in nfct_reasm skb */
        __u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/
        __s16 protocol;
        __s32 flags;
@@ -117,34 +116,12 @@ struct ip_vs_iphdr {
        union nf_inet_addr daddr;
 };
-/* Dependency to module: nf_defrag_ipv6 */
-#if defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE)
-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)
-{
-        return skb->nfct_reasm;
-}
-static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,
-                                      int len, void *buffer,
-                                      const struct ip_vs_iphdr *ipvsh)
-{
-        if (unlikely(ipvsh->fragoffs && skb_nfct_reasm(skb)))
-                return skb_header_pointer(skb_nfct_reasm(skb),
-                                          ipvsh->thoff_reasm, len, buffer);
-        return skb_header_pointer(skb, offset, len, buffer);
-}
-#else
-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb)
-{
-        return NULL;
-}
 static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset,
                                      int len, void *buffer,
                                      const struct ip_vs_iphdr *ipvsh)
 {
        return skb_header_pointer(skb, offset, len, buffer);
 }
-#endif
 static inline void
 ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr)
@@ -171,19 +148,12 @@ ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr)
                        (struct ipv6hdr *)skb_network_header(skb);
                iphdr->saddr.in6 = iph->saddr;
                iphdr->daddr.in6 = iph->daddr;
-                /* ipv6_find_hdr() updates len, flags, thoff_reasm */
+                /* ipv6_find_hdr() updates len, flags */
-                iphdr->thoff_reasm = 0;
                iphdr->len       = 0;
                iphdr->flags     = 0;
                iphdr->protocol  = ipv6_find_hdr(skb, &iphdr->len, -1,
                                                 &iphdr->fragoffs,
                                                 &iphdr->flags);
-                /* get proto from re-assembled packet and it's offset */
-                if (skb_nfct_reasm(skb))
-                        iphdr->protocol = ipv6_find_hdr(skb_nfct_reasm(skb),
-                                                        &iphdr->thoff_reasm,
-                                                        -1, NULL, NULL);
        } else
 #endif
        {
diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
index fd79c9a1779d..17920d847b40 100644
--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h
+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h
@@ -6,10 +6,7 @@ extern void nf_defrag_ipv6_enable(void);
 extern int nf_ct_frag6_init(void);
 extern void nf_ct_frag6_cleanup(void);
 extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user);
-extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
+extern void nf_ct_frag6_consume_orig(struct sk_buff *skb);
-                               struct net_device *in,
-                               struct net_device *out,
-                               int (*okfn)(struct sk_buff *));
 struct inet_frags_ctl;
author	Jiri Pirko <jiri@resnulli.us>	2013-11-06 11:52:20 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-12-08 10:29:25 -0500
commit	fddd8b501c59c87d63a0917c8e9e14bd28e3c724 (patch)
tree	dd715845dc99cff34e5cc63fd7fc4afdbf5a3850 /include/net
parent	2d9a30962d0310d33372c245a6191499a06409f3 (diff)