Linux Ethernet Bridging - Apr 2007 - Fw: [Bridge] Re: Any way of knowing a packet's been defragmented

Dave, this patch from Bart De Schuymer <bdschuym@pandora.be> fixes
problems
when using filtering and defragmentation.  The bridge needs to enforce the
MTU restriction after going through the filtering chain not before, because
the incoming filter may have reassembled an IP packet, that then needs to
be fragmented on the output chain.

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>

diff -Nru a/net/bridge/br_forward.c b/net/bridge/br_forward.c
--- a/net/bridge/br_forward.c	2004-08-06 09:12:41 -07:00
+++ b/net/bridge/br_forward.c	2004-08-06 09:12:41 -07:00
@@ -23,7 +23,6 @@
 				 const struct sk_buff *skb)
 {
 	if (skb->dev == p->dev ||
-	    skb->len > p->dev->mtu ||
 	    p->state != BR_STATE_FORWARDING)
 		return 0;
 
@@ -32,13 +31,17 @@
 
 int br_dev_queue_push_xmit(struct sk_buff *skb)
 {
+	if (skb->len > skb->dev->mtu) 
+		kfree_skb(skb);
+	else {
 #ifdef CONFIG_BRIDGE_NETFILTER
-	/* ip_refrag calls ip_fragment, which doesn't copy the MAC header. */
-	nf_bridge_maybe_copy_header(skb);
+		/* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
+		nf_bridge_maybe_copy_header(skb);
 #endif
-	skb_push(skb, ETH_HLEN);
+		skb_push(skb, ETH_HLEN);
 
-	dev_queue_xmit(skb);
+		dev_queue_xmit(skb);
+	}
 
 	return 0;
 }

Stephen, I'm still waiting for a fixed version of that VLAN
ethtool/mii-regs patch.  That's holding up the whole batch
of bridge stuff you have pending which sits in my inbox.

On Fri, 6 Aug 2004 09:13:05 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:
> Dave, this patch from Bart De Schuymer <bdschuym@pandora.be> fixes
problems
> when using filtering and defragmentation.  The bridge needs to enforce the
> MTU restriction after going through the filtering chain not before, because
> the incoming filter may have reassembled an IP packet, that then needs to
> be fragmented on the output chain.
Applied.