* [PATCH v3 -next] ip: reject too-big defragmented DF-skb when forwarding
@ 2015-05-21 22:06 Florian Westphal
2015-05-25 4:09 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: Florian Westphal @ 2015-05-21 22:06 UTC (permalink / raw)
To: netdev; +Cc: Florian Westphal
Send icmp pmtu error if we find that the largest fragment of df-skb
exceeded the output path mtu.
The ip output path will still catch this later on but we can avoid the
forward/postrouting hook traversal by rejecting right away.
This is what ipv6 already does.
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
No changes since v2; I moved the patch out of set defrag set
since its independent.
net/ipv4/ip_forward.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/ip_forward.c b/net/ipv4/ip_forward.c
index 3674484..2d3aa40 100644
--- a/net/ipv4/ip_forward.c
+++ b/net/ipv4/ip_forward.c
@@ -39,17 +39,21 @@
#include <net/route.h>
#include <net/xfrm.h>
-static bool ip_may_fragment(const struct sk_buff *skb)
-{
- return unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0) ||
- skb->ignore_df;
-}
-
static bool ip_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
{
if (skb->len <= mtu)
return false;
+ if (unlikely((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0))
+ return false;
+
+ /* original fragment exceeds mtu and DF is set */
+ if (unlikely(IPCB(skb)->frag_max_size > mtu))
+ return true;
+
+ if (skb->ignore_df)
+ return false;
+
if (skb_is_gso(skb) && skb_gso_network_seglen(skb) <= mtu)
return false;
@@ -114,7 +118,7 @@ int ip_forward(struct sk_buff *skb)
IPCB(skb)->flags |= IPSKB_FORWARDED;
mtu = ip_dst_mtu_maybe_forward(&rt->dst, true);
- if (!ip_may_fragment(skb) && ip_exceeds_mtu(skb, mtu)) {
+ if (ip_exceeds_mtu(skb, mtu)) {
IP_INC_STATS(dev_net(rt->dst.dev), IPSTATS_MIB_FRAGFAILS);
icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,
htonl(mtu));
--
2.0.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v3 -next] ip: reject too-big defragmented DF-skb when forwarding
2015-05-21 22:06 [PATCH v3 -next] ip: reject too-big defragmented DF-skb when forwarding Florian Westphal
@ 2015-05-25 4:09 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2015-05-25 4:09 UTC (permalink / raw)
To: fw; +Cc: netdev
From: Florian Westphal <fw@strlen.de>
Date: Fri, 22 May 2015 00:06:40 +0200
> Send icmp pmtu error if we find that the largest fragment of df-skb
> exceeded the output path mtu.
>
> The ip output path will still catch this later on but we can avoid the
> forward/postrouting hook traversal by rejecting right away.
>
> This is what ipv6 already does.
>
> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Applied, thank you.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-05-25 4:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-21 22:06 [PATCH v3 -next] ip: reject too-big defragmented DF-skb when forwarding Florian Westphal
2015-05-25 4:09 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.