diff mbox

no reassembly for outgoing packets on RAW socket

Message ID 20100604112708.GA1958@jolsa.lab.eng.brq.redhat.com
State Not Applicable, archived
Delegated to: David Miller
Headers show

Commit Message

Jiri Olsa June 4, 2010, 11:27 a.m. UTC 
hi,

I'd like to be able to sendout a single IP packet with MF flag set.

When using RAW sockets the packet will get stuck in the
netfilter (NF_INET_LOCAL_OUT nf_defrag_ipv4 reassembly unit)
and wont ever make it out..

I made a change which bypass the outgoing reassembly for
RAW sockets, but I'm not sure wether it's too invasive..

Is there any standard for RAW sockets behaviour?
Or another way around? :)

thanks,
jirka


---
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Patrick McHardy June 4, 2010, 12:03 p.m. UTC | #1 
Jiri Olsa wrote:
> hi,
> 
> I'd like to be able to sendout a single IP packet with MF flag set.
> 
> When using RAW sockets the packet will get stuck in the
> netfilter (NF_INET_LOCAL_OUT nf_defrag_ipv4 reassembly unit)
> and wont ever make it out..
> 
> I made a change which bypass the outgoing reassembly for
> RAW sockets, but I'm not sure wether it's too invasive..

That would break reassembly (and thus connection tracking) for cases
where its really intended.

> Is there any standard for RAW sockets behaviour?
> Or another way around? :)

You could use the NOTRACK target to bypass connection tracking.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index cb763ae..5ef8ab2 100644
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -74,6 +74,10 @@  static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 		return NF_ACCEPT;
 #endif
 #endif
+	/* Do not reassemble for raw sockets. */
+	if (skb->sk && skb->sk->sk_type == SOCK_RAW)
+		return NF_ACCEPT;
+
 	/* Gather fragments. */
 	if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
 		enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index beb2581..a9aa19c 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -86,8 +86,14 @@  nf_nat_fn(unsigned int hooknum,
 	enum nf_nat_manip_type maniptype = HOOK2MANIP(hooknum);
 
 	/* We never see fragments: conntrack defrags on pre-routing
-	   and local-out, and nf_nat_out protects post-routing. */
-	NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
+	   and local-out, and nf_nat_out protects post-routing.
+	   With the exception of RAW sockets. */
+#ifdef CONFIG_NETFILTER_DEBUG
+	int raw  = (skb->sk && skb->sk->sk_type == SOCK_RAW);
+	int frag = (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET));
+
+	NF_CT_ASSERT(!frag || (frag && raw));
+#endif
 
 	ct = nf_ct_get(skb, &ctinfo);
 	/* Can't track?  It's not due to stress, or conntrack would