[IPV6]: Fix IPsec datagram fragmentation

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Linux Kernel Mailing List <linux-kernel@...>

To: <git-commits-head@...>

Subject: [IPV6]: Fix IPsec datagram fragmentation

Date: Friday, February 15, 2008 - 6:00 pm

Gitweb:     http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=28a894...
Commit:     28a89453b1e8de8d777ad96fa1eef27b5d1ce074
Parent:     69cc64d8d92bf852f933e90c888dfff083bd4fc9
Author:     Herbert Xu <herbert@gondor.apana.org.au>
AuthorDate: Tue Feb 12 18:07:27 2008 -0800
Committer:  David S. Miller <davem@davemloft.net>
CommitDate: Tue Feb 12 18:07:27 2008 -0800

    [IPV6]: Fix IPsec datagram fragmentation
    
    This is a long-standing bug in the IPsec IPv6 code that breaks
    when we emit a IPsec tunnel-mode datagram packet.  The problem
    is that the code the emits the packet assumes the IPv6 stack
    will fragment it later, but the IPv6 stack assumes that whoever
    is emitting the packet is going to pre-fragment the packet.
    
    In the long term we need to fix both sides, e.g., to get the
    datagram code to pre-fragment as well as to get the IPv6 stack
    to fragment locally generated tunnel-mode packet.
    
    For now this patch does the second part which should make it
    work for the IPsec host case.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/ipv6/ip6_output.c   |    6 +++++-
 net/ipv6/xfrm6_output.c |    2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 9ac6ca2..4e9a2fe 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -621,7 +621,7 @@ static int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
 	 * or if the skb it not generated by a local socket.  (This last
 	 * check should be redundant, but it's free.)
 	 */
-	if (!np || np->pmtudisc >= IPV6_PMTUDISC_DO) {
+	if (skb->local_df) {
 		skb->dev = skb->dst->dev;
 		icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
 		IP6_INC_STATS(ip6_dst_idev(skb->dst), IPSTATS_MIB_FRAGFAILS);
@@ -1420,6 +1420,10 @@ int ip6_push_pending_frames(struct sock *sk)
 		tmp_skb->sk = NULL;
 	}
 
+	/* Allow local fragmentation. */
+	if (np->pmtudisc >= IPV6_PMTUDISC_DO)
+		skb->local_df = 1;
+
 	ipv6_addr_copy(final_dst, &fl->fl6_dst);
 	__skb_pull(skb, skb_network_header_len(skb));
 	if (opt && opt->opt_flen)
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index b34c58c..79ccfb0 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -36,7 +36,7 @@ static int xfrm6_tunnel_check_size(struct sk_buff *skb)
 	if (mtu < IPV6_MIN_MTU)
 		mtu = IPV6_MIN_MTU;
 
-	if (skb->len > mtu) {
+	if (!skb->local_df && skb->len > mtu) {
 		skb->dev = dst->dev;
 		icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu, skb->dev);
 		ret = -EMSGSIZE;
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[IPV6]: Fix IPsec datagram fragmentation, Linux Kernel Mailing List..., (Fri Feb 15, 6:00 pm)


linux-kernel:
Ingo Molnar	Re: containers (was Re: -mm merge plans for 2.6.23)
Greg Kroah-Hartman	[PATCH 009/196] Chinese: add translation of sparse.txt
holzheu	Re: [RFC/PATCH] Documentation of kernel messages
Vladislav Bolkhovitin	Re: Integration of SCST in the mainstream Linux kernel
git:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
David Miller	[GIT]: Networking
Antonio Almeida	HTB accuracy for high speed
openbsd-misc:

[IPV6]: Fix IPsec datagram fragmentation

Online users