On Fri, Jun 05, 2015 at 01:27:13PM +0200, Florian Westphal wrote:
> If bridge netfilter is used with both
> bridge-nf-call-iptables and bridge-nf-filter-vlan-tagged enabled
> then ip fragments in VLAN frames are sent without the vlan header.
>
> This has never worked reliably. Turns out this relied on pre-3.5
> behaviour where skb frag_list was used to store ip fragments;
> ip_fragment() then re-used these skbs.
>
> But since commit 3cc4949269e01f39443d0fcfffb5bc6b47878d45
> ("ipv4: use skb coalescing in defragmentation") this is no longer
> the case. ip_do_fragment now needs to allocate new skbs, but these
> don't contain the vlan tag information anymore.
>
> Fix it by storing vlan information of the ressembled skb in the
> br netfilter percpu frag area, and restore them for each of the
> fragments.
>
> Fixes: 3cc4949269e01f3 ("ipv4: use skb coalescing in defragmentation")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Applied to nf-next. Thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
