On Tue, Mar 12, 2019 at 04:39:46PM +0800, Xin Long wrote: > On Mon, Mar 11, 2019 at 7:08 PM Neil Horman <nhorman@xxxxxxxxxxxxx> wrote: > > > > On Sat, Mar 09, 2019 at 10:24:34AM +0100, Florian Westphal wrote: > > > Xin Long <lucien.xin@xxxxxxxxx> wrote: > > > > https://marc.info/?l=linux-netdev&m=155109395226858&w=2 > > > > But from sctp side, Neil preferred sctp_hdr(). > > > > > > > > We need to either add skb_set_transport_header() in sctp_s/dnat_handler() > > > > and sctp_manip_pkt(), or bring that patch back? > > > > > > > > Now it seems not good to set skb->transport_header in netfilter code. > > > > > > I think its fine, but I wonder why we need to do it. > > > > > > Since 21d1196a35f5686c4323e42a62fdb4b23b0ab4a3 ipv4 input path sets > > > transport header before netfilter. The only problem is that linear > > > access is illegal without may_pull checks, but in this case the > > > make_writable call takes care of this already. > > > > > Yes, this. It seems to me we should be setting the transport header prior to > > ever getting into the netfilter code, which does imply that we need the may_pull > > check to linearize enough of the packet to do so, just like tcp and udp do. > > > > > So, why was this patch needed? > > The issue was reported when going to nf_conntrack by br_netfilter's > bridge-nf-call-iptables, which could be: > > br_prerouting->inet_prerouting-> > br_forward->inet_forward-> > br_postrouting->inet_postrouting Can you fix this from br_netfilter then? ie. set the transport header before prerouting to emulate the IP stack behaviour.
