mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-15 15:15:47 +00:00
efb6de9b4b
IPv6 fragmented packets are not forwarded on an ethernet bridge with netfilter ip6_tables loaded. e.g. steps to reproduce 1) create a simple bridge like this modprobe br_netfilter brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth2 ifconfig eth0 up ifconfig eth2 up ifconfig br0 up 2) place a host with an IPv6 address on each side of the bridge set IPv6 address on host A: ip -6 addr add fd01:2345:6789:1::1/64 dev eth0 set IPv6 address on host B: ip -6 addr add fd01:2345:6789:1::2/64 dev eth0 3) run a simple ping command on host A with packets > MTU ping6 -s 4000 fd01:2345:6789:1::2 4) wait some time and run e.g. "ip6tables -t nat -nvL" on the bridge IPv6 fragmented packets traverse the bridge cleanly until somebody runs. "ip6tables -t nat -nvL". As soon as it is run (and netfilter modules are loaded) IPv6 fragmented packets do not traverse the bridge any more (you see no more responses in ping's output). After applying this patch IPv6 fragmented packets traverse the bridge cleanly in above scenario. Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at> [pablo@netfilter.org: small changes to br_nf_dev_queue_xmit] Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
44 lines
1.3 KiB
C
44 lines
1.3 KiB
C
/* IPv6-specific defines for netfilter.
|
|
* (C)1998 Rusty Russell -- This code is GPL.
|
|
* (C)1999 David Jeffery
|
|
* this header was blatantly ripped from netfilter_ipv4.h
|
|
* it's amazing what adding a bunch of 6s can do =8^)
|
|
*/
|
|
#ifndef __LINUX_IP6_NETFILTER_H
|
|
#define __LINUX_IP6_NETFILTER_H
|
|
|
|
#include <uapi/linux/netfilter_ipv6.h>
|
|
|
|
|
|
#ifdef CONFIG_NETFILTER
|
|
int ip6_route_me_harder(struct sk_buff *skb);
|
|
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
|
|
unsigned int dataoff, u_int8_t protocol);
|
|
|
|
int ipv6_netfilter_init(void);
|
|
void ipv6_netfilter_fini(void);
|
|
|
|
/*
|
|
* Hook functions for ipv6 to allow xt_* modules to be built-in even
|
|
* if IPv6 is a module.
|
|
*/
|
|
struct nf_ipv6_ops {
|
|
int (*chk_addr)(struct net *net, const struct in6_addr *addr,
|
|
const struct net_device *dev, int strict);
|
|
void (*route_input)(struct sk_buff *skb);
|
|
int (*fragment)(struct sock *sk, struct sk_buff *skb,
|
|
int (*output)(struct sock *, struct sk_buff *));
|
|
};
|
|
|
|
extern const struct nf_ipv6_ops __rcu *nf_ipv6_ops;
|
|
static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void)
|
|
{
|
|
return rcu_dereference(nf_ipv6_ops);
|
|
}
|
|
|
|
#else /* CONFIG_NETFILTER */
|
|
static inline int ipv6_netfilter_init(void) { return 0; }
|
|
static inline void ipv6_netfilter_fini(void) { return; }
|
|
#endif /* CONFIG_NETFILTER */
|
|
|
|
#endif /*__LINUX_IP6_NETFILTER_H*/
|