git.baikalelectronics.ru Git - kernel.git/commit

author	Aya Levin <ayal@nvidia.com>
	Thu, 7 Jan 2021 13:50:18 +0000 (15:50 +0200)
committer	Jakub Kicinski <kuba@kernel.org>
	Sat, 9 Jan 2021 22:06:32 +0000 (14:06 -0800)
commit	7b86023e54f70bd78fc31214d589064277b6f810
tree	ba7e41b91053d811d14426cc279b27ddbda866db	tree \| snapshot
parent	a09a068f4d1acdf02bd5b8b138800d5a73d11da0	commit \| diff

net: ipv6: Validate GSO SKB before finish IPv6 processing

There are cases where GSO segment's length exceeds the egress MTU:
- Forwarding of a TCP GRO skb, when DF flag is not set.
- Forwarding of an skb that arrived on a virtualisation interface
   (virtio-net/vhost/tap) with TSO/GSO size set by other network
   stack.
- Local GSO skb transmitted on an NETIF_F_TSO tunnel stacked over an
   interface with a smaller MTU.
- Arriving GRO skb (or GSO skb in a virtualised environment) that is
   bridged to a NETIF_F_TSO tunnel stacked over an interface with an
   insufficient MTU.

If so:
- Consume the SKB and its segments.
- Issue an ICMP packet with 'Packet Too Big' message containing the
   MTU, allowing the source host to reduce its Path MTU appropriately.

Note: These cases are handled in the same manner in IPv4 output finish.
This patch aligns the behavior of IPv6 and the one of IPv4.

Fixes: 064d88762be8 ("netfilter: ipv6: move POSTROUTING invocation before fragmentation")
Signed-off-by: Aya Levin <ayal@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/1610027418-30438-1-git-send-email-ayal@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>