Thread (67 messages) 67 messages, 11 authors, 2012-08-29

Re: [PATCH V2 2/2] ipvs: Extend MTU check to account for IPv6 NAT defrag changes

From: Jesper Dangaard Brouer <hidden>
Date: 2012-08-29 09:04:13
Also in: lvs-devel, netfilter-devel

On Wed, 2012-08-29 at 01:43 -0700, Eric Dumazet wrote:
On Wed, 2012-08-29 at 09:02 +0200, Jesper Dangaard Brouer wrote:
quoted
On Tue, 2012-08-28 at 07:49 -0700, Eric Dumazet wrote:
quoted
On Tue, 2012-08-28 at 16:23 +0200, Jesper Dangaard Brouer wrote:
quoted
This patch is necessary, to make IPVS work, after Patrick McHardys
IPv6 NAT defragmentation changes.

Signed-off-by: Jesper Dangaard Brouer <redacted>
---
In V2: the tunnel mode is no longer a special case.

 net/netfilter/ipvs/ip_vs_xmit.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 67a3978..56f6d5d 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -88,7 +88,14 @@ __ip_vs_dst_check(struct ip_vs_dest *dest, u32 rtos)
 static inline bool
 __mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)
 {
-	if (skb->len > mtu && !skb_is_gso(skb)) {
+	if (IP6CB(skb)->frag_max_size) {
+		/* frag_max_size tell us that, this packet have been
+		 * defragmented by netfilter IPv6 conntrack module.
+		 */
+		if (IP6CB(skb)->frag_max_size > mtu)
+			return true; /* largest fragment violate MTU */
Implicit:         else
     			return false

(if it makes it more clear, not sure)
quoted
quoted
+	}
+	else if (skb->len > mtu && !skb_is_gso(skb)) {
 		return true; /* Packet size violate MTU size */
 	}
Couldnt you use a single test ?

if (IP6CB(skb)->frag_max_size > mtu)
	return true;

if (skb->len > mtu && !skb_is_gso(skb))
	return true;
Nope, this will not work.

If (IP6CB(skb)->frag_max_size > 0) then we have a defragmented packet,
this means that skb->len cannot be used for MTU checking, because
skb->len is now the total length of all the fragments (which your
solution will fall-through to)
If the packet was not fragmented, its was a single frame.

But if this frame length is above mtu, packet is not too big ?
Nope... not if its a defragmented/reassembled packet.
Sorry if its a stupid question.
These changes have to be seen together with Patrick's patch:
 "netfilter: nf_conntrack_ipv6: improve fragmentation handling"
 http://thread.gmane.org/gmane.linux.network/241517/focus=241518

The IPv6 packet arriving have been defragmented/reassembled by the
nf_conntrack_ipv6 module.  Thus, they look like a normal, but big,
packet to us.   We let it through, because it will be re-fragmented
again later, but first we need to check if the largest fragment would
violate the MTU.

Hope it makes it more clear.

Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help