=output:2
table=1, ct_state=+est+trk,ip,in_port=2 actions=output:3
> On 13 March 2017 at 20:18, wenxu <we...@ucloud.cn> wrote:
>> Hi all,
>>
>> There is a simple test for conntrack and nat in openvswitch. I want to do
>> stateful
>> firewall with conntrack
delete the conntrack
immediately. --RR */
-if (th->rst ) {
+if (th->rst && !nf_ct_tcp_rst_no_kill) {
nf_ct_kill_acct(ct, ctinfo, skb);
return NF_ACCEPT;
}
BR
wenxu
ip_gre in (the default) pmtudisc mode.
>
> Fixes: b8247f095e ("net: ip_finish_output_gso: If skb_gso_network_seglen
> exceeds MTU, allow segmentation for local udp tunneled skbs")
> Reported-by: wenxu <we...@ucloud.cn>
Tested-by: wenxu <we...@ucloud.cn>
> Cc: Hann
and geneve, and probably
> ovs vport-gre, or other ovs encap vports, in df_default=false mode),
> will behave same for gso and non-gso.
>
> WDYT? Am I missing something here?
>
> Thanks,
> Shmulik
I think the criteria 'skb_iif && !(df & htons(IP_DF)' is suitable.
'nopmtudisc' tunnel and ovs-gre tunnel can clear the DF through
df_default=false.
In this situation both gso(final segment) or no-gso packet can be fragment(if
the packet size is more than mtu).
Thanks
Wenxu
an
>>> eth0 mtu. These packets maybe dropped.
>>>
>>> It has the same problem if tap0 bridge with ipgre or gretap device. So
>>> the IPSKB_FRAG_SEGS flags should also be set in gre tunneled skbs.
>>>
>>> Signed-off-by: wenxu <we...@ucloud.cn
From: wenxu <we...@ucloud.cn>
commit b8247f095edd ("net: ip_finish_output_gso: If skb_gso_network_seglen
exceeds MTU, allow segmentation for local udp tunneled skbs")
Given:
- tap0 and ovs-gre
- ovs-gre stacked on eth0, eth0 having the small mtu
After encapsulation
wrong inner_proto leads no pull the Mac header to linear-spatial
3. finally It made a crash in ovs_flow_extract->__skb_pull
Signed-off-by: wenxu <we...@ucloud.cn>
---
net/openvswitch/vport-gre.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/openvswitch/vport-gre.c b/net/op