On Wed, Jun 19, 2019 at 10:35:07PM +0800, wenxu@xxxxxxxxx wrote:
[...]
> So if the first fragment packet don't contain vlan tag, all of the
> remain should not contain vlan tag..
If I understand correctly, the problem is this:
* First fragment comes with no vlan tag.
* Second fragment comes with vlan tag.
If you have a vlan setup, you have to use ct zone to map the vlan id
to the corresponding ct zone.
nf_ct_br_defrag4() calls:
err = ip_defrag(state->net, skb,
IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone_id);
if ct zones are used, first fragment will go to defrag queue
IP_DEFRAG_CONNTRACK_BRIDGE_IN + 0, while second fragment will go to
IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone_id.
So they will go to different defrag queues.
> Fixes: 3c171f496ef5 ("netfilter: bridge: add connection tracking system")
> Signed-off-by: wenxu <wenxu@xxxxxxxxx>
> ---
> net/bridge/netfilter/nf_conntrack_bridge.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
> index b675cd7..4f5444d 100644
> --- a/net/bridge/netfilter/nf_conntrack_bridge.c
> +++ b/net/bridge/netfilter/nf_conntrack_bridge.c
> @@ -331,6 +331,8 @@ static int nf_ct_bridge_frag_restore(struct sk_buff *skb,
> }
> if (data->vlan_present)
> __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
> + else if (skb_vlan_tag_present(skb))
> + __vlan_hwaccel_clear_tag(skb);
>
> skb_copy_to_linear_data_offset(skb, -ETH_HLEN, data->mac, ETH_HLEN);
> skb_reset_mac_header(skb);
> --
> 1.8.3.1
>
