On 06/08/2024 12:28, Florian Westphal wrote:
Tom Hughes <tom@xxxxxxxxxx> wrote:Commit 264640fc2c5f4 ("ipv6: distinguish frag queues by device for multicast and link-local packets") modified the ipv6 fragment reassembly logic to distinguish frag queues by device for multicast and link-local packets but in fact only the main reassembly code limits the use of the device to those address types and the netfilter reassembly code uses the device for all packets. This means that if fragments of a packet arrive on different interfaces then netfilter will fail to reassemble them and the fragments will be expired without going any further through the filters. Signed-off-by: Tom Hughes <tom@xxxxxxxxxx>Probably: Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units") ? Before this nf ipv6 reasm called ip6_frag_match() which ignored ifindex for types other than mcast/linklocal.
Ah yes... I had found that change and knew it changed how the main reassembly code implemented the exception but hadn't realised that before that netfilter shared the comparison routine. I'll update the patch to add that. Tom -- Tom Hughes (tom@xxxxxxxxxx) http://compton.nu/
