Dave, this patch from Bart De Schuymer <bdschuym@xxxxxxxxxx> fixes problems
when using filtering and defragmentation. The bridge needs to enforce the
MTU restriction after going through the filtering chain not before, because
the incoming filter may have reassembled an IP packet, that then needs to
be fragmented on the output chain.
Signed-off-by: Stephen Hemminger <shemminger@xxxxxxxx>
diff -Nru a/net/bridge/br_forward.c b/net/bridge/br_forward.c
--- a/net/bridge/br_forward.c 2004-08-06 09:12:41 -07:00
+++ b/net/bridge/br_forward.c 2004-08-06 09:12:41 -07:00
@@ -23,7 +23,6 @@
const struct sk_buff *skb)
{
if (skb->dev == p->dev ||
- skb->len > p->dev->mtu ||
p->state != BR_STATE_FORWARDING)
return 0;
@@ -32,13 +31,17 @@
int br_dev_queue_push_xmit(struct sk_buff *skb)
{
+ if (skb->len > skb->dev->mtu)
+ kfree_skb(skb);
+ else {
#ifdef CONFIG_BRIDGE_NETFILTER
- /* ip_refrag calls ip_fragment, which doesn't copy the MAC header. */
- nf_bridge_maybe_copy_header(skb);
+ /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
+ nf_bridge_maybe_copy_header(skb);
#endif
- skb_push(skb, ETH_HLEN);
+ skb_push(skb, ETH_HLEN);
- dev_queue_xmit(skb);
+ dev_queue_xmit(skb);
+ }
return 0;
}
