1. 28 5月, 2015 3 次提交
    • D
      Merge branch 'ip_frag_next' · 837b9955
      David S. Miller 提交于
      Florian Westphal says:
      
      ====================
      net: force refragmentation for DF reassembed skbs
      
      output path tests:
      
          if (skb->len > mtu) ip_fragment()
      
      This breaks connectivity in one corner case:
       If the skb was reassembled, but has the DF bit set and ..
       .. its reassembled size is <= outdev mtu ..
       .. we will forward a DF packet larger than what the sender
          transmitted on wire.
      
      If a router later in the path can't forward this packet, it will send an
      icmp error in response to an mtu that the original sender never exceeded.
      
      This changes ipv4 defrag/output path to
      
      a) force refragmentation for DF reassembled skbs and
      b) set DF bit on all fragments when refragmenting if it was set on original
      frags.
      
      tested via:
      from scapy.all import *
      dip="10.23.42.2"
      payload="A"*1400
      packet=IP(dst=dip,id=12345,flags='DF')/UDP(sport=42,dport=42)/payload
      frags=fragment(packet,fragsize=1200)
      for fragment in frags:
          send(fragment)
      
      Without this patch, we generate fragments without df bit set based
      on the outgoing device mtu when fragmenting after forwarding, ie.
      
      IP (ttl 64, id 12345, offset 0, flags [+, DF], proto UDP (17), length 1204)
          192.168.7.1.42 > 10.23.42.2.42: UDP, length 1400
      IP (ttl 64, id 12345, offset 1184, flags [DF], proto UDP (17), length 244)
          192.168.7.1 > 10.23.42.2: ip-proto-17
      
      on ingress will either turn into
      
      IP (ttl 63, id 12345, offset 0, flags [+], proto UDP (17), length 1396)
          192.168.7.1.42 > 10.23.42.2.42: UDP, length 1400
      IP (ttl 63, id 12345, offset 1376, flags [none], proto UDP (17), length 52)
      
      (mtu 1400: We strip df and send larger fragment), or
      
      IP (ttl 63, id 12345, offset 0, flags [DF], proto UDP (17), length 1428)
          192.168.7.1.42 > 10.23.42.2.42: [udp sum ok] UDP, length 1400
      
      if mtu is 1500.  And in this case things break; router with a smaller mtu
      will send icmp error, but original sender only sent packets <= 1204 byte.
      
      With patch, we keep intent of such fragments and will emit DF-fragments
      that won't exceed 1204 byte in size.
      
      Joint work with Hannes Frederic Sowa.
      
      Changes since v2:
       - split unrelated patches from series
       - rework changelog of patch #2 to better illustrate breakage
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      837b9955
    • F
      ip_fragment: don't forward defragmented DF packet · d6b915e2
      Florian Westphal 提交于
      We currently always send fragments without DF bit set.
      
      Thus, given following setup:
      
      mtu1500 - mtu1500:1400 - mtu1400:1280 - mtu1280
         A           R1              R2         B
      
      Where R1 and R2 run linux with netfilter defragmentation/conntrack
      enabled, then if Host A sent a fragmented packet _with_ DF set to B, R1
      will respond with icmp too big error if one of these fragments exceeded
      1400 bytes.
      
      However, if R1 receives fragment sizes 1200 and 100, it would
      forward the reassembled packet without refragmenting, i.e.
      R2 will send an icmp error in response to a packet that was never sent,
      citing mtu that the original sender never exceeded.
      
      The other minor issue is that a refragmentation on R1 will conceal the
      MTU of R2-B since refragmentation does not set DF bit on the fragments.
      
      This modifies ip_fragment so that we track largest fragment size seen
      both for DF and non-DF packets, and set frag_max_size to the largest
      value.
      
      If the DF fragment size is larger or equal to the non-df one, we will
      consider the packet a path mtu probe:
      We set DF bit on the reassembled skb and also tag it with a new IPCB flag
      to force refragmentation even if skb fits outdev mtu.
      
      We will also set DF bit on each fragment in this case.
      
      Joint work with Hannes Frederic Sowa.
      Reported-by: NJesse Gross <jesse@nicira.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d6b915e2
    • F
      net: ipv4: avoid repeated calls to ip_skb_dst_mtu helper · c5501eb3
      Florian Westphal 提交于
      ip_skb_dst_mtu is small inline helper, but its called in several places.
      
      before: 17061      44       0   17105    42d1 net/ipv4/ip_output.o
      after:  16805      44       0   16849    41d1 net/ipv4/ip_output.o
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5501eb3
  2. 27 5月, 2015 7 次提交
  3. 26 5月, 2015 30 次提交