On Thursday 05 August 2004 16:58, Eble, Dan wrote:
> > The check should be after all
> > netfilter hooks just before the packet is given to the NIC
> > driver, dropped
> > on transmit because it can not be sent out on the target media, not
> > dropped in "bridge forwarding" because it seems to be bigger than the
> > intended target device.
>
> That makes sense.
I agree.
Stephen, how about this patch?
cheers,
Bart
--- linux-2.6.8-rc2-bk9/net/bridge/br_forward.c.old 2004-08-02 23:15:42.000000000 +0200
+++ linux-2.6.8-rc2-bk9/net/bridge/br_forward.c 2004-08-05 17:57:52.000000000 +0200
@@ -23,7 +23,6 @@ static inline int should_deliver(const s
const struct sk_buff *skb)
{
if (skb->dev == p->dev ||
- skb->len > p->dev->mtu ||
p->state != BR_STATE_FORWARDING)
return 0;
@@ -32,6 +31,10 @@ static inline int should_deliver(const s
int br_dev_queue_push_xmit(struct sk_buff *skb)
{
+ if (skb->len > skb->dev->mtu) {
+ kfree_skb(skb);
+ return 0;
+ }
#ifdef CONFIG_BRIDGE_NETFILTER
/* ip_refrag calls ip_fragment, which doesn't copy the MAC header. */
nf_bridge_maybe_copy_header(skb);
