David Miller <davem@xxxxxxxxxxxxx> wrote: > Specifically it needs to stop pretending it can do full on IP > operations like fragmentation without the full necessary context. > > That full necessary context being a physical destination device, > and a proper IP route. > > It means that all of the MTU calculations miss everything done > by the ipv4 routing layer, all of the settings made by the user > via sysctl_ip_fwd_use_pmtu, etc. Perhaps, but I have a hard time defining wheter a bridge should use something like sysctl_ip_fwd_use_pmtu or not. And doing route lookups will break things for some people, we have zero guarantee that a bridge has the needed routing information, its valid to not even configure a default gateway on a bridge. We could alter defragmentation to provide the size of the largest fragment seen unconditionally, and use that. But I honestly think this patch is the best we can do to at least don't have the IP stack deal with this crap. > So I think bridge netfilter needs to seriously look up a real > route and do things properly like the rest of the networking > stack does when it wants to fragment ipv4 packets. Sure, I can investigate doing this. However, I don't believe that this is fixable given that we might not have any routing tables; also; we allowed things like transparent PPPOE and VLAN header stripping. ip_fragment shouldn't have to deal with increased LL space, as it does now, and I don't see any way to fix that except adding that extra ll size argument and having br_netfilter set it. If you disagree, whats your suggested solution to get rid of the br_netfilter inline helpers? Kill support for vlan/pppoe header stripping? Add route lookup but keep current behaviour as fallback in case we don't find route? I wouldn't object to doing that, but I'm reasonably sure it will break existing setups. Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
