Revision: 7600
http://sourceforge.net/p/ipcop/svn/7600
Author: owes
Date: 2014-06-13 04:50:02 +0000 (Fri, 13 Jun 2014)
Log Message:
-----------
Add a patch to fix MTU/fragment problem, queued for 3.4.93
Modified Paths:
--------------
ipcop/trunk/lfs/linux
Added Paths:
-----------
ipcop/trunk/src/patches/linux-3.4_netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
Modified: ipcop/trunk/lfs/linux
===================================================================
--- ipcop/trunk/lfs/linux 2014-06-12 20:37:43 UTC (rev 7599)
+++ ipcop/trunk/lfs/linux 2014-06-13 04:50:02 UTC (rev 7600)
@@ -118,6 +118,9 @@
# APU LEDs
cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)_leds-apu.patch
+ # MTU issue, queued for 3.4.93
+ cd $(DIR_APP) && patch -Np1 -i
$(DIR_PATCHES)/$(THISAPP)_netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
+
ifeq "$(GRSEC)" "yes"
cd $(DIR_APP) && patch -Np1 -i $(DIR_DL)/$(GRSECURITYPATCH)
# Remove test for binutils version, --build-id does not work for us and
we have binutils > 2.18
Added:
ipcop/trunk/src/patches/linux-3.4_netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
===================================================================
---
ipcop/trunk/src/patches/linux-3.4_netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
(rev 0)
+++
ipcop/trunk/src/patches/linux-3.4_netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
2014-06-13 04:50:02 UTC (rev 7600)
@@ -0,0 +1,58 @@
+From 895162b1101b3ea5db08ca6822ae9672717efec0 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <f...@strlen.de>
+Date: Fri, 2 May 2014 15:32:16 +0200
+Subject: netfilter: ipv4: defrag: set local_df flag on defragmented skb
+
+From: Florian Westphal <f...@strlen.de>
+
+commit 895162b1101b3ea5db08ca6822ae9672717efec0 upstream.
+
+else we may fail to forward skb even if original fragments do fit
+outgoing link mtu:
+
+1. remote sends 2k packets in two 1000 byte frags, DF set
+2. we want to forward but only see '2k > mtu and DF set'
+3. we then send icmp error saying that outgoing link is 1500
+
+But original sender never sent a packet that would not fit
+the outgoing link.
+
+Setting local_df makes outgoing path test size vs.
+IPCB(skb)->frag_max_size, so we will still send the correct
+error in case the largest original size did not fit
+outgoing link mtu.
+
+Reported-by: Maxime Bizon <mbi...@freebox.fr>
+Suggested-by: Maxime Bizon <mbi...@freebox.fr>
+Fixes: 5f2d04f1f9 (ipv4: fix path MTU discovery with connection tracking)
+Signed-off-by: Florian Westphal <f...@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
+Cc: Jiri Slaby <jsl...@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/nf_defrag_ipv4.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
++++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
+@@ -22,7 +22,6 @@
+ #endif
+ #include <net/netfilter/nf_conntrack_zones.h>
+
+-/* Returns new sk_buff, or NULL */
+ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+ int err;
+@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struc
+ err = ip_defrag(skb, user);
+ local_bh_enable();
+
+- if (!err)
++ if (!err) {
+ ip_send_check(ip_hdr(skb));
++ skb->local_df = 1;
++ }
+
+ return err;
+ }
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
