On Tue, Dec 23, 2014 at 03:03:43PM +0100, Pablo Neira Ayuso wrote:
> On Fri, Dec 05, 2014 at 10:12:25PM +0100, Bernhard Thaler wrote:
> > diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
> > index c190d22..73ea96a 100644
> > --- a/net/bridge/br_netfilter.c
> > +++ b/net/bridge/br_netfilter.c
> [...]
> > +static int br_nf_pre_routing_finish_ipv6(struct sk_buff *skb)
> > +{
> > + struct nf_bridge_info *nf_bridge = skb->nf_bridge;
> > + struct rtable *rt;
> > + struct net_device *dev = skb->dev;
> > +
> > + if (nf_bridge->mask & BRNF_PKT_TYPE) {
> > + skb->pkt_type = PACKET_OTHERHOST;
> > + nf_bridge->mask ^= BRNF_PKT_TYPE;
> > + }
> > + nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
>
> There is no fragmentation handling here. Actually, not your fault, the
> original br_nf_pre_routing_finish_ipv6() doesn't consider this case.
>
> I can take this patch, it doesn't do any worse than the existing code,
> but probably you want to have a look at this.
A bit more info if you have a look at this: br_netfilter fragmentation
handling is poorly designed, basically it may modify original fragment
boundaries and a bridge shouldn't do that. But this is how this has
been working since long time ago.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
