[BR_NETFILTER]: Fix vlan-encapsulated fragmented IP traffic.

When vlan-tagged fragmented IP traffic passes the bridging firewall and
ip_conntrack is loaded and iptables sees this IP traffic, an oops can
occur when trying to fragment the defragmented packets. This only
happens in the slow_path of ip_fragment().
The problem was reported, diagnosed and fixed by Adam Osuchowski and
Tomasz Dubinski.
When ip_fragment() is fragmenting an IP packet that's encapsulated, it has
to make sure there is enough head room for the encapsulating header.

The patch below fixes it. I saw no other way than to add some code to
ip_fragment(), but this extra code is located in the slow_path so it's
hardly ever executed.

diff --git a/include/linux/netfilter_bridge.h b/include/linux/netfilter_bridge.h
index bc4f5988251ca0fa51d4455b4049006be84bb04a..de4d397865ce52e440f2a93cb75f87ba53dfdcc0 100644 (file)
--- a/include/linux/netfilter_bridge.h
+++ b/include/linux/netfilter_bridge.h
@@ -88,6 +88,20 @@ void nf_bridge_save_header(struct sk_buff *skb)
        memcpy(skb->nf_bridge->data, skb->data - header_size, header_size);
 }
 
+/* This is called by the IP fragmenting code and it ensures there is
+ * enough room for the encapsulating header (if there is one). */
+static inline
+int nf_bridge_pad(struct sk_buff *skb)
+{
+       if (skb->protocol == __constant_htons(ETH_P_IP))
+               return 0;
+       if (skb->nf_bridge) {
+               if (skb->protocol == __constant_htons(ETH_P_8021Q))
+                       return 4;
+       }
+       return 0;
+}
+
 struct bridge_skb_cb {
        union {
                __u32 ipv4;

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 2adc6cc7994b460e384c4e9fbf0a79284d32dee3..80558f7b1dc870837297077ec70f0118d277dd1d 100644 (file)
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -80,6 +80,7 @@
 #include <net/inetpeer.h>
 #include <linux/igmp.h>
 #include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_bridge.h>
 #include <linux/mroute.h>
 #include <linux/netlink.h>
 
@@ -442,7 +443,7 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
        int ptr;
        struct net_device *dev;
        struct sk_buff *skb2;
-       unsigned int mtu, hlen, left, len; 
+       unsigned int mtu, hlen, left, len, ll_rs;
        int offset;
        int not_last_frag;
        struct rtable *rt = (struct rtable*)skb->dst;
@@ -563,6 +564,14 @@ slow_path:
        left = skb->len - hlen;         /* Space per frame */
        ptr = raw + hlen;               /* Where to start from */
 
+#ifdef CONFIG_BRIDGE_NETFILTER
+       /* for bridged IP traffic encapsulated inside f.e. a vlan header,
+        * we need to make room for the encapsulating header */
+       ll_rs = LL_RESERVED_SPACE(rt->u.dst.dev + nf_bridge_pad(skb));
+       mtu -= nf_bridge_pad(skb);
+#else
+       ll_rs = LL_RESERVED_SPACE(rt->u.dst.dev);
+#endif
        /*
         *      Fragment the datagram.
         */
@@ -588,7 +597,7 @@ slow_path:
                 *      Allocate buffer.
                 */
 
-               if ((skb2 = alloc_skb(len+hlen+LL_RESERVED_SPACE(rt->u.dst.dev), GFP_ATOMIC)) == NULL) {
+               if ((skb2 = alloc_skb(len+hlen+ll_rs, GFP_ATOMIC)) == NULL) {
                        NETDEBUG(printk(KERN_INFO "IP: frag: no memory for new fragment!\n"));
                        err = -ENOMEM;
                        goto fail;
@@ -599,7 +608,7 @@ slow_path:
                 */
 
                ip_copy_metadata(skb2, skb);
-               skb_reserve(skb2, LL_RESERVED_SPACE(rt->u.dst.dev));
+               skb_reserve(skb2, ll_rs);
                skb_put(skb2, len + hlen);
                skb2->nh.raw = skb2->data;
                skb2->h.raw = skb2->data + hlen;