From 4cdd34084d539c758d00c5dc7bf95db2e4f2bc70 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Sun, 26 Aug 2012 19:13:58 +0200
Subject: netfilter: nf_conntrack_ipv6: improve fragmentation handling

The IPv6 conntrack fragmentation currently has a couple of shortcomings.
Fragmentes are collected in PREROUTING/OUTPUT, are defragmented, the
defragmented packet is then passed to conntrack, the resulting conntrack
information is attached to each original fragment and the fragments then
continue their way through the stack.

Helper invocation occurs in the POSTROUTING hook, at which point only
the original fragments are available. The result of this is that
fragmented packets are never passed to helpers.

This patch improves the situation in the following way:

- If a reassembled packet belongs to a connection that has a helper
  assigned, the reassembled packet is passed through the stack instead
  of the original fragments.

- During defragmentation, the largest received fragment size is stored.
  On output, the packet is refragmented if required. If the largest
  received fragment size exceeds the outgoing MTU, a "packet too big"
  message is generated, thus behaving as if the original fragments
  were passed through the stack from an outside point of view.

- The ipv6_helper() hook function can't receive fragments anymore for
  connections using a helper, so it is switched to use ipv6_skip_exthdr()
  instead of the netfilter specific nf_ct_ipv6_skip_exthdr() and the
  reassembled packets are passed to connection tracking helpers.

The result of this is that we can properly track fragmented packets, but
still generate ICMPv6 Packet too big messages if we would have before.

This patch is also required as a precondition for IPv6 NAT, where NAT
helpers might enlarge packets up to a point that they require
fragmentation. In that case we can't generate Packet too big messages
since the proper MTU can't be calculated in all cases (f.i. when
changing textual representation of a variable amount of addresses),
so the packet is transparently fragmented iff the original packet or
fragments would have fit the outgoing MTU.

IPVS parts by Jesper Dangaard Brouer <brouer@redhat.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 include/linux/ipv6.h | 1 +
 1 file changed, 1 insertion(+)

(limited to 'include/linux/ipv6.h')

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 879db26ec401..0b94e91ed685 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -256,6 +256,7 @@ struct inet6_skb_parm {
 #if defined(CONFIG_IPV6_MIP6) || defined(CONFIG_IPV6_MIP6_MODULE)
 	__u16			dsthao;
 #endif
+	__u16			frag_max_size;
 
 #define IP6SKB_XFRM_TRANSFORMED	1
 #define IP6SKB_FORWARDED	2
-- 
cgit v1.2.2


From 607ca46e97a1b6594b29647d98a32d545c24bdff Mon Sep 17 00:00:00 2001
From: David Howells <dhowells@redhat.com>
Date: Sat, 13 Oct 2012 10:46:48 +0100
Subject: UAPI: (Scripted) Disintegrate include/linux

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Dave Jones <davej@redhat.com>
---
 include/linux/ipv6.h | 166 +--------------------------------------------------
 1 file changed, 1 insertion(+), 165 deletions(-)

(limited to 'include/linux/ipv6.h')

diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 0b94e91ed685..bcba48a97868 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -1,134 +1,9 @@
 #ifndef _IPV6_H
 #define _IPV6_H
 
-#include <linux/types.h>
-#include <linux/in6.h>
-#include <asm/byteorder.h>
+#include <uapi/linux/ipv6.h>
 
-/* The latest drafts declared increase in minimal mtu up to 1280. */
-
-#define IPV6_MIN_MTU	1280
-
-/*
- *	Advanced API
- *	source interface/address selection, source routing, etc...
- *	*under construction*
- */
-
-
-struct in6_pktinfo {
-	struct in6_addr	ipi6_addr;
-	int		ipi6_ifindex;
-};
-
-struct ip6_mtuinfo {
-	struct sockaddr_in6	ip6m_addr;
-	__u32			ip6m_mtu;
-};
-
-struct in6_ifreq {
-	struct in6_addr	ifr6_addr;
-	__u32		ifr6_prefixlen;
-	int		ifr6_ifindex; 
-};
-
-#define IPV6_SRCRT_STRICT	0x01	/* Deprecated; will be removed */
-#define IPV6_SRCRT_TYPE_0	0	/* Deprecated; will be removed */
-#define IPV6_SRCRT_TYPE_2	2	/* IPv6 type 2 Routing Header	*/
-
-/*
- *	routing header
- */
-struct ipv6_rt_hdr {
-	__u8		nexthdr;
-	__u8		hdrlen;
-	__u8		type;
-	__u8		segments_left;
-
-	/*
-	 *	type specific data
-	 *	variable length field
-	 */
-};
-
-
-struct ipv6_opt_hdr {
-	__u8 		nexthdr;
-	__u8 		hdrlen;
-	/* 
-	 * TLV encoded option data follows.
-	 */
-} __attribute__((packed));	/* required for some archs */
-
-#define ipv6_destopt_hdr ipv6_opt_hdr
-#define ipv6_hopopt_hdr  ipv6_opt_hdr
-
-#ifdef __KERNEL__
 #define ipv6_optlen(p)  (((p)->hdrlen+1) << 3)
-#endif
-
-/*
- *	routing header type 0 (used in cmsghdr struct)
- */
-
-struct rt0_hdr {
-	struct ipv6_rt_hdr	rt_hdr;
-	__u32			reserved;
-	struct in6_addr		addr[0];
-
-#define rt0_type		rt_hdr.type
-};
-
-/*
- *	routing header type 2
- */
-
-struct rt2_hdr {
-	struct ipv6_rt_hdr	rt_hdr;
-	__u32			reserved;
-	struct in6_addr		addr;
-
-#define rt2_type		rt_hdr.type
-};
-
-/*
- *	home address option in destination options header
- */
-
-struct ipv6_destopt_hao {
-	__u8			type;
-	__u8			length;
-	struct in6_addr		addr;
-} __attribute__((packed));
-
-/*
- *	IPv6 fixed header
- *
- *	BEWARE, it is incorrect. The first 4 bits of flow_lbl
- *	are glued to priority now, forming "class".
- */
-
-struct ipv6hdr {
-#if defined(__LITTLE_ENDIAN_BITFIELD)
-	__u8			priority:4,
-				version:4;
-#elif defined(__BIG_ENDIAN_BITFIELD)
-	__u8			version:4,
-				priority:4;
-#else
-#error	"Please fix <asm/byteorder.h>"
-#endif
-	__u8			flow_lbl[3];
-
-	__be16			payload_len;
-	__u8			nexthdr;
-	__u8			hop_limit;
-
-	struct	in6_addr	saddr;
-	struct	in6_addr	daddr;
-};
-
-#ifdef __KERNEL__
 /*
  * This structure contains configuration options per IPv6 link.
  */
@@ -180,43 +55,6 @@ struct ipv6_params {
 	__s32 autoconf;
 };
 extern struct ipv6_params ipv6_defaults;
-#endif
-
-/* index values for the variables in ipv6_devconf */
-enum {
-	DEVCONF_FORWARDING = 0,
-	DEVCONF_HOPLIMIT,
-	DEVCONF_MTU6,
-	DEVCONF_ACCEPT_RA,
-	DEVCONF_ACCEPT_REDIRECTS,
-	DEVCONF_AUTOCONF,
-	DEVCONF_DAD_TRANSMITS,
-	DEVCONF_RTR_SOLICITS,
-	DEVCONF_RTR_SOLICIT_INTERVAL,
-	DEVCONF_RTR_SOLICIT_DELAY,
-	DEVCONF_USE_TEMPADDR,
-	DEVCONF_TEMP_VALID_LFT,
-	DEVCONF_TEMP_PREFERED_LFT,
-	DEVCONF_REGEN_MAX_RETRY,
-	DEVCONF_MAX_DESYNC_FACTOR,
-	DEVCONF_MAX_ADDRESSES,
-	DEVCONF_FORCE_MLD_VERSION,
-	DEVCONF_ACCEPT_RA_DEFRTR,
-	DEVCONF_ACCEPT_RA_PINFO,
-	DEVCONF_ACCEPT_RA_RTR_PREF,
-	DEVCONF_RTR_PROBE_INTERVAL,
-	DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN,
-	DEVCONF_PROXY_NDP,
-	DEVCONF_OPTIMISTIC_DAD,
-	DEVCONF_ACCEPT_SOURCE_ROUTE,
-	DEVCONF_MC_FORWARDING,
-	DEVCONF_DISABLE_IPV6,
-	DEVCONF_ACCEPT_DAD,
-	DEVCONF_FORCE_TLLAO,
-	DEVCONF_MAX
-};
-
-#ifdef __KERNEL__
 #include <linux/icmpv6.h>
 #include <linux/tcp.h>
 #include <linux/udp.h>
@@ -541,6 +379,4 @@ static inline struct raw6_sock *raw6_sk(const struct sock *sk)
 	 (ipv6_addr_equal(&inet6_twsk(__sk)->tw_v6_rcv_saddr, (__daddr))) && \
 	 (!((__sk)->sk_bound_dev_if) || ((__sk)->sk_bound_dev_if == (__dif))))
 
-#endif /* __KERNEL__ */
-
 #endif /* _IPV6_H */
-- 
cgit v1.2.2