On Tue, Dec 23, 2014 at 03:03:43PM +0100, Pablo Neira Ayuso wrote: > On Fri, Dec 05, 2014 at 10:12:25PM +0100, Bernhard Thaler wrote: > > diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c > > index c190d22..73ea96a 100644 > > --- a/net/bridge/br_netfilter.c > > +++ b/net/bridge/br_netfilter.c > [...] > > +static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb) > > +{ > > + struct nf_bridge_info *nf_bridge = skb->nf_bridge; > > + struct rtable *rt; > > + struct net_device *dev = skb->dev; > > + > > + if (nf_bridge->mask & BRNF_PKT_TYPE) { > > + skb->pkt_type = PACKET_OTHERHOST; > > + nf_bridge->mask ^= BRNF_PKT_TYPE; > > + } > > + nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING; > > There is no fragmentation handling here. Actually, not your fault, the > original br_nf_pre_routing_finish_ipv6() doesn't consider this case. > > I can take this patch, it doesn't do any worse than the existing code, > but probably you want to have a look at this. A bit more info if you have a look at this: br_netfilter fragmentation handling is poorly designed, basically it may modify original fragment boundaries and a bridge shouldn't do that. But this is how this has been working since long time ago. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html