mirror of https://gitee.com/openkylin/linux.git
aff09ce303
Currently bridge can silently drop ipv4 fragments. If node have loaded nf_defrag_ipv4 module but have no nf_conntrack_ipv4, br_nf_pre_routing defragments incoming ipv4 fragments but nfct check in br_nf_dev_queue_xmit does not allow re-fragment combined packet back, and therefore it is dropped in br_dev_queue_push_xmit without incrementing of any failcounters It seems the only way to hit the ip_fragment code in the bridge xmit path is to have a fragment list whose reassembled fragments go over the mtu. This only happens if nf_defrag is enabled. Thanks to Florian Westphal for providing feedback to clarify this. Defragmentation ipv4 is required not only in conntracks but at least in TPROXY target and socket match, therefore #ifdef is changed from NF_CONNTRACK_IPV4 to NF_DEFRAG_IPV4 Signed-off-by: Vasily Averin <vvs@openvz.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
---|---|---|
.. | ||
netfilter | ||
Kconfig | ||
Makefile | ||
br.c | ||
br_device.c | ||
br_fdb.c | ||
br_forward.c | ||
br_if.c | ||
br_input.c | ||
br_ioctl.c | ||
br_mdb.c | ||
br_multicast.c | ||
br_netfilter.c | ||
br_netlink.c | ||
br_notify.c | ||
br_private.h | ||
br_private_stp.h | ||
br_stp.c | ||
br_stp_bpdu.c | ||
br_stp_if.c | ||
br_stp_timer.c | ||
br_sysfs_br.c | ||
br_sysfs_if.c | ||
br_vlan.c |