• Patrick McHardy's avatar
    netfilter: nf_conntrack_ipv6: improve fragmentation handling · 4cdd3408
    Patrick McHardy authored
    The IPv6 conntrack fragmentation currently has a couple of shortcomings.
    Fragmentes are collected in PREROUTING/OUTPUT, are defragmented, the
    defragmented packet is then passed to conntrack, the resulting conntrack
    information is attached to each original fragment and the fragments then
    continue their way through the stack.
    
    Helper invocation occurs in the POSTROUTING hook, at which point only
    the original fragments are available. The result of this is that
    fragmented packets are never passed to helpers.
    
    This patch improves the situation in the following way:
    
    - If a reassembled packet belongs to a connection that has a helper
      assigned, the reassembled packet is passed through the stack instead
      of the original fragments.
    
    - During defragmentation, the largest received fragment size is stored.
      On output, the packet is refragmented if required. If the largest
      received fragment size exceeds the outgoing MTU, a "packet too big"
      message is generated, thus behaving as if the original fragments
      were passed through the stack from an outside point of view.
    
    - The ipv6_helper() hook function can't receive fragments anymore for
      connections using a helper, so it is switched to use ipv6_skip_exthdr()
      instead of the netfilter specific nf_ct_ipv6_skip_exthdr() and the
      reassembled packets are passed to connection tracking helpers.
    
    The result of this is that we can properly track fragmented packets, but
    still generate ICMPv6 Packet too big messages if we would have before.
    
    This patch is also required as a precondition for IPv6 NAT, where NAT
    helpers might enlarge packets up to a point that they require
    fragmentation. In that case we can't generate Packet too big messages
    since the proper MTU can't be calculated in all cases (f.i. when
    changing textual representation of a variable amount of addresses),
    so the packet is transparently fragmented iff the original packet or
    fragments would have fit the outgoing MTU.
    
    IPVS parts by Jesper Dangaard Brouer <brouer@redhat.com>.
    Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
    4cdd3408
ipv6.h 11.9 KB