[PATCH] net: Move specific fragmented packet to slow_path instead of dropping it

Thu, 17 Apr 2025 02:31:10 -0700 

The config NF_CONNTRACK_BRIDGE will change the bridge forwarding for
fragmented packets.

The original bridge does not know that it is a fragmented packet and
forwards it directly, after NF_CONNTRACK_BRIDGE is enabled, function
nf_br_ip_fragment and br_ip6_fragment will check the headroom.

In original br_forward, insufficient headroom of skb may indeed exist,
but there's still a way to save the skb in the device driver after
dev_queue_xmit.So droping the skb will change the original bridge
forwarding in some cases.

Signed-off-by: Huajian Yang <huajiany...@asrmicro.com>
---
 net/bridge/netfilter/nf_conntrack_bridge.c | 12 ++++++------
 net/ipv6/netfilter.c                       | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c 
b/net/bridge/netfilter/nf_conntrack_bridge.c
index 816bb0fde718..6482de4d8750 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -60,19 +60,19 @@ static int nf_br_ip_fragment(struct net *net, struct sock 
*sk,
                struct ip_fraglist_iter iter;
                struct sk_buff *frag;
 
-               if (first_len - hlen > mtu ||
-                   skb_headroom(skb) < ll_rs)
+               if (first_len - hlen > mtu)
                        goto blackhole;
 
-               if (skb_cloned(skb))
+               if (skb_cloned(skb) ||
+                   skb_headroom(skb) < ll_rs)
                        goto slow_path;
 
                skb_walk_frags(skb, frag) {
-                       if (frag->len > mtu ||
-                           skb_headroom(frag) < hlen + ll_rs)
+                       if (frag->len > mtu)
                                goto blackhole;
 
-                       if (skb_shared(frag))
+                       if (skb_shared(frag) ||
+                           skb_headroom(frag) < hlen + ll_rs)
                                goto slow_path;
                }
 
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 581ce055bf52..4541836ee3da 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -164,20 +164,20 @@ int br_ip6_fragment(struct net *net, struct sock *sk, 
struct sk_buff *skb,
                struct ip6_fraglist_iter iter;
                struct sk_buff *frag2;
 
-               if (first_len - hlen > mtu ||
-                   skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
+               if (first_len - hlen > mtu)
                        goto blackhole;
 
-               if (skb_cloned(skb))
+               if (skb_cloned(skb) ||
+                   skb_headroom(skb) < (hroom + sizeof(struct frag_hdr)))
                        goto slow_path;
 
                skb_walk_frags(skb, frag2) {
-                       if (frag2->len > mtu ||
-                           skb_headroom(frag2) < (hlen + hroom + sizeof(struct 
frag_hdr)))
+                       if (frag2->len > mtu)
                                goto blackhole;
 
                        /* Partially cloned skb? */
-                       if (skb_shared(frag2))
+                       if (skb_shared(frag2) ||
+                           skb_headroom(frag2) < (hlen + hroom + sizeof(struct 
frag_hdr)))
                                goto slow_path;
                }
 
-- 
2.48.1

Reply via email to