forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/net/ipv6
History
Jiri Pirko fddd8b501c netfilter: push reasm skb through instead of original frag skbs 
[ Upstream commit 6aafeef03b ]

Pushing original fragments through causes several problems. For example
for matching, frags may not be matched correctly. Take following
example:

<example>
On HOSTA do:
ip6tables -I INPUT -p icmpv6 -j DROP
ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT

and on HOSTB you do:
ping6 HOSTA -s2000    (MTU is 1500)

Incoming echo requests will be filtered out on HOSTA. This issue does
not occur with smaller packets than MTU (where fragmentation does not happen)
</example>

As was discussed previously, the only correct solution seems to be to use
reassembled skb instead of separete frags. Doing this has positive side
effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams
dances in ipvs and conntrack can be removed.

Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c
entirely and use code in net/ipv6/reassembly.c instead.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-12-08 07:29:25 -08:00
..
netfilter netfilter: push reasm skb through instead of original frag skbs 2013-12-08 07:29:25 -08:00
addrconf.c IPv6 NAT: Do not drop DNATed 6to4/6rd packets 2013-10-13 16:08:30 -07:00
addrconf_core.c ipv6: statically link register_inet6addr_notifier() 2013-04-14 15:24:17 -04:00
addrlabel.c ipv6: fix null pointer dereference in __ip6addrlbl_add 2013-09-14 06:54:56 -07:00
af_inet6.c GRE: Refactor GRE tunneling code. 2013-03-26 12:27:18 -04:00
ah6.c net: Add skb_unclone() helper function. 2013-02-15 15:10:37 -05:00
anycast.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
datagram.c ipv6: fix leaking uninitialized port number of offender sockaddr 2013-12-08 07:29:25 -08:00
esp6.c ah6/esp6: set transport header correctly for IPsec tunnel mode. 2013-01-08 12:41:30 +01:00
exthdrs.c ipv6/exthdrs: accept tlv which includes only padding 2013-10-13 16:08:28 -07:00
exthdrs_core.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jesse/openvswitch 2012-11-30 12:01:30 -05:00
exthdrs_offload.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
fib6_rules.c ipv6: introduce ip6_rt_put() 2012-11-03 14:59:05 -04:00
icmp.c ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO 2013-09-14 06:54:56 -07:00
inet6_connection_sock.c ipv6: use newly introduced __ipv6_addr_needs_scope_id and ipv6_iface_scope_id 2013-03-08 12:29:22 -05:00
inet6_hashtables.c net: do not call sock_put() on TIMEWAIT sockets 2013-11-04 04:31:00 -08:00
ip6_checksum.c ipv6: move csum_ipv6_magic() and udp6_csum_init() into static library 2013-01-08 17:56:10 -08:00
ip6_fib.c net: fib: fib6_add: fix potential NULL pointer dereference 2013-10-13 16:08:28 -07:00
ip6_flowlabel.c ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh 2013-12-08 07:29:24 -08:00
ip6_gre.c ipv6: gre: correct calculation of max_headroom 2013-10-13 16:08:30 -07:00
ip6_icmp.c ipv6: Kill ipv6 dependency of icmpv6_send(). 2013-04-29 13:54:36 -04:00
ip6_input.c ipv6: don't accept node local multicast traffic from the wire 2013-03-29 14:57:33 -04:00
ip6_offload.c tunneling: Add generic Tunnel segmentation. 2013-03-09 16:09:17 -05:00
ip6_offload.h ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
ip6_output.c ip6_output: fragment outgoing reassembled skb properly 2013-12-08 07:29:25 -08:00
ip6_tunnel.c ip6tnl: allow to use rtnl ops on fb tunnel 2013-10-13 16:08:31 -07:00
ip6mr.c ipv6: take rtnl_lock and mark mrt6 table as freed on namespace cleanup 2013-08-11 18:35:25 -07:00
ipcomp6.c ipv6: Add redirect support to all protocol icmp error handlers. 2012-07-12 00:25:15 -07:00
ipv6_sockglue.c ipv6: rename datagram_send_ctl and datagram_recv_ctl 2013-01-31 13:53:08 -05:00
Kconfig Tunneling: use IP Tunnel stats APIs. 2013-03-26 12:27:19 -04:00
Makefile ipv6: Kill ipv6 dependency of icmpv6_send(). 2013-04-29 13:54:36 -04:00
mcast.c ipv6 mcast: use in6_dev_put in timer handlers instead of __in6_dev_put 2013-10-13 16:08:30 -07:00
mip6.c ipv6: mip6: fix mip6_mh_filter() 2012-09-25 16:04:44 -04:00
ndisc.c ipv6: Don't depend on per socket memory for neighbour discovery messages 2013-09-14 06:54:56 -07:00
netfilter.c netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 2013-05-23 11:58:55 +02:00
output_core.c ipv6: Update ipv6 static library with newly needed functions 2012-11-15 17:39:23 -05:00
proc.c snmp6: remove IPSTATS_MIB_CSUMERRORS 2013-05-31 16:26:49 -07:00
protocol.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
raw.c inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions 2013-12-08 07:29:25 -08:00
reassembly.c ipv6: drop packets with multiple fragmentation headers 2013-09-14 06:54:55 -07:00
route.c ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv 2013-12-08 07:29:24 -08:00
sit.c sit: allow to use rtnl ops on fb tunnel 2013-10-13 16:08:30 -07:00
syncookies.c tcp: Remove TCPCT 2013-03-17 14:35:13 -04:00
sysctl_net_ipv6.c net: Enable some sysctls that are safe for the userns root 2012-11-18 20:33:00 -05:00
tcp_ipv6.c net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv 2013-09-14 06:54:56 -07:00
tcpv6_offload.c net: Remove code duplication between offload structures 2012-11-15 17:39:51 -05:00
tunnel6.c net: ipv6: Standardize prefixes for message logging 2012-05-16 01:01:03 -04:00
udp.c inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions 2013-12-08 07:29:25 -08:00
udp_impl.h ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
udp_offload.c ipv6: fix headroom calculation in udp6_ufo_fragment 2013-12-08 07:29:23 -08:00
udplite.c ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
xfrm6_input.c
xfrm6_mode_beet.c ipsec: be careful of non existing mac headers 2012-02-23 16:50:45 -05:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c xfrm: allow to avoid copying DSCP during encapsulation 2013-03-06 07:02:45 +01:00
xfrm6_output.c xfrm6: remove unneeded NULL check in __xfrm6_output() 2012-02-01 02:52:48 -05:00
xfrm6_policy.c xfrm6: release dev before returning error 2013-05-11 17:40:15 -07:00
xfrm6_state.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
xfrm6_tunnel.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00