Huajian Yang <huajiany...@asrmicro.com> wrote:
> The config NF_CONNTRACK_BRIDGE will change the way fragments are processed.
> Bridge does not know that it is a fragmented packet and forwards it
> directly, after NF_CONNTRACK_BRIDGE is enabled, function nf_br_ip_fragment
> will check and fraglist this packet.
>
> Some network devices that would not able to ping large packet under bridge,
> but large packet ping is successful if not enable NF_CONNTRACK_BRIDGE.
Can you add a new test to tools/testing/selftests/net/netfilter/ that
demonstrates this problem?
> In function nf_br_ip_fragment, checking the headroom before sending is
> undoubted, but it is unreasonable to directly drop skb with insufficient
> headroom.
Are we talking about
if (first_len - hlen > mtu
or
skb_headroom(skb) < ll_rs)
?
>
> if (first_len - hlen > mtu ||
> skb_headroom(skb) < ll_rs)
> - goto blackhole;
> + goto expand_headroom;
I guess this should be
if (first_len - hlen > mtu)
goto blackhole;
if (skb_headroom(skb) < ll_rs)
goto expand_headroom;
... but I'm not sure what the actual problem is.
> +expand_headroom:
> + struct sk_buff *expand_skb;
> +
> + expand_skb = skb_copy_expand(skb, ll_rs, skb_tailroom(skb), GFP_ATOMIC);
> + if (unlikely(!expand_skb))
> + goto blackhole;
Why does this need to make a full skb copy?
Should that be using skb_expand_head()?
> slow_path:
Actually, can't you just (re)use the slowpath for the skb_headroom < ll_rs
case instead of adding headroom expansion?
