From: wenxu <wenxu@xxxxxxxxx>
ip netns exec ns1 ip a a dev eth0 10.0.0.7/24
ip netns exec ns2 ip link a link eth0 name vlan type vlan id 200
ip netns exec ns2 ip a a dev vlan 10.0.0.8/24
ip l add dev br0 type bridge vlan_filtering 1
brctl addif br0 veth1
brctl addif br0 veth2
bridge vlan add dev veth1 vid 200 pvid untagged
bridge vlan add dev veth2 vid 200
A two fragment packets send from ns2 contained with vlan tag 200.
In the bridge conntrack, packet will defrag to one skb with fraglist.
When the packet forward to ns1 through veth1, the first skb vlan tag
will be cleared for "untagged" flags. But the vlan tag in the second
skb still tagged, which lead the second fragment send with tag 200 to
ns1.
So if the first fragment packet don't contain vlan tag, all of the
remain should not contain vlan tag..
Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
Signed-off-by: wenxu <wenxu@xxxxxxxxx>
---
net/bridge/netfilter/nf_conntrack_bridge.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index b675cd7..4f5444d 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -331,6 +331,8 @@ static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
}
if (data->vlan_present)
__vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
+ else if (skb_vlan_tag_present(skb))
+ __vlan_hwaccel_clear_tag(skb);
skb_copy_to_linear_data_offset(skb, -ETH_HLEN, data->mac, ETH_HLEN);
skb_reset_mac_header(skb);
--
1.8.3.1
