aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv6/ip6_output.c
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2012-08-26 13:13:58 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2012-08-29 21:00:10 -0400
commit4cdd34084d539c758d00c5dc7bf95db2e4f2bc70 (patch)
tree6a5892006d512dfab477dd7fc3d8dd0cdf75cedb /net/ipv6/ip6_output.c
parent590e3f79a21edd2e9857ac3ced25ba6b2a491ef8 (diff)
netfilter: nf_conntrack_ipv6: improve fragmentation handling
The IPv6 conntrack fragmentation currently has a couple of shortcomings. Fragmentes are collected in PREROUTING/OUTPUT, are defragmented, the defragmented packet is then passed to conntrack, the resulting conntrack information is attached to each original fragment and the fragments then continue their way through the stack. Helper invocation occurs in the POSTROUTING hook, at which point only the original fragments are available. The result of this is that fragmented packets are never passed to helpers. This patch improves the situation in the following way: - If a reassembled packet belongs to a connection that has a helper assigned, the reassembled packet is passed through the stack instead of the original fragments. - During defragmentation, the largest received fragment size is stored. On output, the packet is refragmented if required. If the largest received fragment size exceeds the outgoing MTU, a "packet too big" message is generated, thus behaving as if the original fragments were passed through the stack from an outside point of view. - The ipv6_helper() hook function can't receive fragments anymore for connections using a helper, so it is switched to use ipv6_skip_exthdr() instead of the netfilter specific nf_ct_ipv6_skip_exthdr() and the reassembled packets are passed to connection tracking helpers. The result of this is that we can properly track fragmented packets, but still generate ICMPv6 Packet too big messages if we would have before. This patch is also required as a precondition for IPv6 NAT, where NAT helpers might enlarge packets up to a point that they require fragmentation. In that case we can't generate Packet too big messages since the proper MTU can't be calculated in all cases (f.i. when changing textual representation of a variable amount of addresses), so the packet is transparently fragmented iff the original packet or fragments would have fit the outgoing MTU. IPVS parts by Jesper Dangaard Brouer <brouer@redhat.com>. Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net/ipv6/ip6_output.c')
-rw-r--r--net/ipv6/ip6_output.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 5b2d63ed793e..a4f6263fddca 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -493,7 +493,8 @@ int ip6_forward(struct sk_buff *skb)
493 if (mtu < IPV6_MIN_MTU) 493 if (mtu < IPV6_MIN_MTU)
494 mtu = IPV6_MIN_MTU; 494 mtu = IPV6_MIN_MTU;
495 495
496 if (skb->len > mtu && !skb_is_gso(skb)) { 496 if ((!skb->local_df && skb->len > mtu && !skb_is_gso(skb)) ||
497 (IP6CB(skb)->frag_max_size && IP6CB(skb)->frag_max_size > mtu)) {
497 /* Again, force OUTPUT device used as source address */ 498 /* Again, force OUTPUT device used as source address */
498 skb->dev = dst->dev; 499 skb->dev = dst->dev;
499 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); 500 icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu);
@@ -636,7 +637,9 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
636 /* We must not fragment if the socket is set to force MTU discovery 637 /* We must not fragment if the socket is set to force MTU discovery
637 * or if the skb it not generated by a local socket. 638 * or if the skb it not generated by a local socket.
638 */ 639 */
639 if (unlikely(!skb->local_df && skb->len > mtu)) { 640 if (unlikely(!skb->local_df && skb->len > mtu) ||
641 (IP6CB(skb)->frag_max_size &&
642 IP6CB(skb)->frag_max_size > mtu)) {
640 if (skb->sk && dst_allfrag(skb_dst(skb))) 643 if (skb->sk && dst_allfrag(skb_dst(skb)))
641 sk_nocaps_add(skb->sk, NETIF_F_GSO_MASK); 644 sk_nocaps_add(skb->sk, NETIF_F_GSO_MASK);
642 645