Signed-off-by: Vasily Averin <vvs@xxxxxxxxxx>
---
net/ipv4/netfilter/nf_defrag_ipv4.c | 14 ++++++++++++++
1 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index f82685c..40cbd05 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -87,6 +87,20 @@ static unsigned int ipv4_conntrack_defrag(const struct nf_hook_ops *ops,
enum ip_defrag_users user =
nf_ct_defrag_user(ops->hooknum, skb);
+#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) && defined (CONFIG_BRIDGE_NETFILTER)
+ if ((user >= IP_DEFRAG_CONNTRACK_BRIDGE_IN) &&
+ (user <= __IP_DEFRAG_CONNTRACK_BRIDGE_IN)) {
+ struct net *net = sock_net(skb->sk);
+
+ /* A bridge should not defragment and fragment packets.
+ * However if connection tracking is enabled or
+ * if some target (TPROXY) or matches (socket) are used
+ * we enable ipv4 defragmentation on bridge
+ */
+ if (atomic_read(&net->br_defrag_ipv4_users_count) == 0)
+ return NF_ACCEPT;
+ }
+#endif
if (nf_ct_ipv4_gather_frags(skb, user))
return NF_STOLEN;
}
--
1.7.5.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
