netfilter: bridge-netfilter: fix refragmenting IP traffic encapsulated in PPPoE traffic

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The MTU for IP traffic encapsulated inside PPPoE traffic is smaller
than the MTU of the Ethernet device (1500). Connection tracking
gathers all IP packets and sometimes will refragment them in
ip_fragment(). We then need to subtract the length of the
encapsulating header from the mtu used in ip_fragment(). The check in
br_nf_dev_queue_xmit() which determines if ip_fragment() has to be
called is also updated for the PPPoE-encapsulated packets.
nf_bridge_copy_header() is also updated to make sure the PPPoE data
length field has the correct value.

Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

Bart De Schuymer and committed by

Patrick McHardy 16 years ago 6c79bf0f 62910554

+12 -1

3 changed files

expand all

include

linux

netfilter_bridge.h

net

bridge

br_netfilter.c

ipv4

ip_output.c

include/linux/netfilter_bridge.h

··· 68 68 } 69 69 } 70 70 71 + static inline unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb) 72 + { 73 + if (unlikely(skb->nf_bridge->mask & BRNF_PPPoE)) 74 + return PPPOE_SES_HLEN; 75 + return 0; 76 + } 77 + 71 78 extern int br_handle_frame_finish(struct sk_buff *skb); 72 79 /* Only used in br_device.c */ 73 80 static inline int br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)

+1 -1

net/bridge/br_netfilter.c

··· 745 745 static int br_nf_dev_queue_xmit(struct sk_buff *skb) 746 746 { 747 747 if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) && 748 - skb->len > skb->dev->mtu && 748 + skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu && 749 749 !skb_is_gso(skb)) 750 750 return ip_fragment(skb, br_dev_queue_push_xmit); 751 751 else

net/ipv4/ip_output.c

··· 469 469 470 470 hlen = iph->ihl * 4; 471 471 mtu = dst_mtu(&rt->u.dst) - hlen; /* Size of data space */ 472 + #ifdef CONFIG_BRIDGE_NETFILTER 473 + if (skb->nf_bridge) 474 + mtu -= nf_bridge_mtu_reduction(skb); 475 + #endif 472 476 IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE; 473 477 474 478 /* When frag_list is given, use it. First, check its validity: