netfilter: bridge-netfilter: fix refragmenting IP traffic encapsulated in PPPoE traffic

The MTU for IP traffic encapsulated inside PPPoE traffic is smaller than the MTU of the Ethernet device (1500). Connection tracking gathers all IP packets and sometimes will refragment them in ip_fragment(). We then need to subtract the length of the encapsulating header from the mtu used in ip_fragment(). The check in br_nf_dev_queue_xmit() which determines if ip_fragment() has to be called is also updated for the PPPoE-encapsulated packets. nf_bridge_copy_header() is also updated to make sure the PPPoE data length field has the correct value. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>

netfilter: bridge-netfilter: fix refragmenting IP traffic encapsulated in PPPoE traffic
The MTU for IP traffic encapsulated inside PPPoE traffic is smaller than the MTU of the Ethernet device (1500). Connection tracking gathers all IP packets and sometimes will refragment them in ip_fragment(). We then need to subtract the length of the encapsulating header from the mtu used in ip_fragment(). The check in br_nf_dev_queue_xmit() which determines if ip_fragment() has to be called is also updated for the PPPoE-encapsulated packets. nf_bridge_copy_header() is also updated to make sure the PPPoE data length field has the correct value. Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: Patrick McHardy <kaber@trash.net>
Bart De Schuymer · Patrick McHardy
1 parent 6291055465
Showing 3 changed files with 12 additions and 1 deletions Side-by-side Diff
include/linux/netfilter_bridge.h
net/bridge/br_netfilter.c
net/ipv4/ip_output.c
@@ -68,6 +68,13 @@
 	}
 }
  
+static inline unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
+{
+	if (unlikely(skb->nf_bridge->mask & BRNF_PPPoE))
+		return PPPOE_SES_HLEN;
+	return 0;
+}
+
 extern int br_handle_frame_finish(struct sk_buff *skb);
 /* Only used in br_device.c */
 static inline int br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
@@ -745,7 +745,7 @@
 static int br_nf_dev_queue_xmit(struct sk_buff *skb)
 {
 	if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
-	    skb->len > skb->dev->mtu &&
+	    skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
 	    !skb_is_gso(skb))
 		return ip_fragment(skb, br_dev_queue_push_xmit);
 	else
@@ -469,6 +469,10 @@
  
 	hlen = iph->ihl * 4;
 	mtu = dst_mtu(&rt->u.dst) - hlen;	/* Size of data space */
+#ifdef CONFIG_BRIDGE_NETFILTER
+	if (skb->nf_bridge)
+		mtu -= nf_bridge_mtu_reduction(skb);
+#endif
 	IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE;
  
 	/* When frag_list is given, use it. First, check its validity:
...	...	@@ -68,6 +68,13 @@
68	68	}
69	69	}
70	70
	71	+static inline unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
	72	+{
	73	+ if (unlikely(skb->nf_bridge->mask & BRNF_PPPoE))
	74	+ return PPPOE_SES_HLEN;
	75	+ return 0;
	76	+}
	77	+
71	78	extern int br_handle_frame_finish(struct sk_buff *skb);
72	79	/* Only used in br_device.c */
73	80	static inline int br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
...	...	@@ -745,7 +745,7 @@
745	745	static int br_nf_dev_queue_xmit(struct sk_buff *skb)
746	746	{
747	747	if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
748		- skb->len > skb->dev->mtu &&
	748	+ skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
749	749	!skb_is_gso(skb))
750	750	return ip_fragment(skb, br_dev_queue_push_xmit);
751	751	else
...	...	@@ -469,6 +469,10 @@
469	469
470	470	hlen = iph->ihl * 4;
471	471	mtu = dst_mtu(&rt->u.dst) - hlen; /* Size of data space */
	472	+#ifdef CONFIG_BRIDGE_NETFILTER
	473	+ if (skb->nf_bridge)
	474	+ mtu -= nf_bridge_mtu_reduction(skb);
	475	+#endif
472	476	IPCB(skb)->flags \|= IPSKB_FRAG_COMPLETE;
473	477
474	478	/* When frag_list is given, use it. First, check its validity: