ip6_fragment() was not called by netfilter bridge code before changes in
"bridge: forward IPv6 fragmented packets when passing" and lacks mtu size
reduction as found in ip_fragment().
Add mtu size reductions based on ip_fragment() code.
Signed-off-by: Bernhard Thaler <bernhard.thaler@xxxxxxxx>
---
Patch needs further testing in specific scenarios (e.g. fragmented IPv6
packet within PPPoE over bridge) to confirm correct operation.
net/ipv6/ip6_output.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 0a04a37..9b5aeef 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -40,6 +40,7 @@
#include <linux/slab.h>
#include <linux/netfilter.h>
+#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv6.h>
#include <net/sock.h>
@@ -578,6 +579,10 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
mtu = np->frag_size;
}
mtu -= hlen + sizeof(struct frag_hdr);
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+ if (skb->nf_bridge)
+ mtu -= nf_bridge_mtu_reduction(skb);
+#endif
if (skb_has_frag_list(skb)) {
int first_len = skb_pagelen(skb);
@@ -717,7 +722,10 @@ slow_path:
*/
*prevhdr = NEXTHDR_FRAGMENT;
- hroom = LL_RESERVED_SPACE(rt->dst.dev);
+ /* for bridged IP traffic encapsulated inside f.e. a vlan header,
+ * we need to make room for the encapsulating header
+ */
+ hroom = LL_RESERVED_SPACE_EXTRA(rt->dst.dev, nf_bridge_pad(skb));
troom = rt->dst.dev->needed_tailroom;
/*
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
