Hi Ansis & Patrick
On Wed, 2014-02-19 at 12:32 -0800, Ansis Atteka wrote:
> On Wed, Feb 19, 2014 at 10:21 AM, Art -kwaak- van Breemen
> <ard@xxxxxxxxxxxxxxx> wrote:
> >
> > Hans,
> > I want to keep the patch as is, but change the description:
> >
> > ====
> > [PATCH] ipvs: fix wrong icmp_offset in ip_vs_nat_icmp_v6
> > From: Ard van Breemen <ard@xxxxxxxxxxxxxxx>
> >
> >
> > Fix regression introduced in 3.8 with commit 9195bb8e381d81
> > ("ipv6: improve ipv6_find_hdr() to skip empty routing headers")
> > which broke commit 63dca2c0b0e7a9
> > ("ipvs: Fix faulty IPv6 extension header handling in IPVS").
> > by a small change in ipv6_find_hdr: finding specific protocols is not
> > supported anymore, use -1 instead. Solves (pmtud) problems caused by
> > damaged IPv6 headers in NAT-ed ICMP packets.
> >
> > Signed-off-by: Ard van Breemen <ard@xxxxxxxxxxxxxxx>
> > CC: Jesper Dangaard Brouer <brouer@xxxxxxxxxx>
> > CC: Hans Schillstrom <hans@xxxxxxxxxxxxxxx>
> >
> > ---
> >
> > Do you and Ansis agree with me?
> My changes to this function were necessary for the Open vSwitch
> set_ipv6() action implementation so that checksums would be correctly
> recalculated.
>
> I introduced IP6_FH_F_SKIP_RH flag that skips all Routing Headers,
> where segments_left==0. This flag allows Open vSwitch kernel module to
> figure out whether it needs to recalculate checksum after changing
> destination IP address in IPv6 header. In ipv6 the checkum is
> calculated over final destination IP address that could also be in
> Routing Header intead of ipv6 header (see rfc2460 section 8.1 for more
> details).
>
> I believe your patch would break meaning of IP6_FH_F_SKIP_RH flag,
> because it would exit early when it saw Routing Header where segments
> left == 0.
I saw that too in openvswitch/actions.c, i.e it will break your patch
But if you want to find a specific header ex. NEXTHDR_GRE,
that is not in ipv6_ext_hdr() ipv6_find_hdr() will fail to do that
it will return -ENOENT
I still think ipv6_find_hdr is broken for nft_exthdr_eval() after
commit 9195bb8e381d81d5a315f911904cdf0cfcc919b8
Patrick,
I guess the intention with nft_exthdr_eval() is to be able to find any
extension header or ?
I might be wrong here ...
Regards
Hans
> --
> To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
