[BRIDGE]: Fix problems with filtering and defragmentation.

Dave, this patch from Bart De Schuymer <bdschuym@pandora.be> fixes problems
when using filtering and defragmentation.  The bridge needs to enforce the
MTU restriction after going through the filtering chain not before, because
the incoming filter may have reassembled an IP packet, that then needs to
be fragmented on the output chain.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: David S. Miller <davem@redhat.com>

diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index fd5fa75a3525fb43c052e058a81eeb43d2f98b6d..ef9f2095f96e37dae664786b70638b46befd88da 100644 (file)
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -23,7 +23,6 @@ static inline int should_deliver(const struct net_bridge_port *p,
                                 const struct sk_buff *skb)
 {
        if (skb->dev == p->dev ||
-           skb->len > p->dev->mtu ||
            p->state != BR_STATE_FORWARDING)
                return 0;
 
@@ -32,13 +31,17 @@ static inline int should_deliver(const struct net_bridge_port *p,
 
 int br_dev_queue_push_xmit(struct sk_buff *skb)
 {
+       if (skb->len > skb->dev->mtu) 
+               kfree_skb(skb);
+       else {
 #ifdef CONFIG_BRIDGE_NETFILTER
-       /* ip_refrag calls ip_fragment, which doesn't copy the MAC header. */
-       nf_bridge_maybe_copy_header(skb);
+               /* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
+               nf_bridge_maybe_copy_header(skb);
 #endif
-       skb_push(skb, ETH_HLEN);
+               skb_push(skb, ETH_HLEN);
 
-       dev_queue_xmit(skb);
+               dev_queue_xmit(skb);
+       }
 
        return 0;
 }