@@ -40,6 +40,7 @@
#include <linux/slab.h>
#include <linux/netfilter.h>
+#include <linux/netfilter_bridge.h>
#include <linux/netfilter_ipv6.h>
#include <net/sock.h>
@@ -578,6 +579,10 @@ int ip6_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *))
mtu = np->frag_size;
}
mtu -= hlen + sizeof(struct frag_hdr);
+#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
+ if (skb->nf_bridge)
+ mtu -= nf_bridge_mtu_reduction(skb);
+#endif
if (skb_has_frag_list(skb)) {
int first_len = skb_pagelen(skb);
@@ -717,7 +722,10 @@ slow_path:
*/
*prevhdr = NEXTHDR_FRAGMENT;
- hroom = LL_RESERVED_SPACE(rt->dst.dev);
+ /* for bridged IP traffic encapsulated inside f.e. a vlan header,
+ * we need to make room for the encapsulating header
+ */
+ hroom = LL_RESERVED_SPACE_EXTRA(rt->dst.dev, nf_bridge_pad(skb));
troom = rt->dst.dev->needed_tailroom;
/*
ip6_fragment() was not called by netfilter bridge code before changes in "bridge: forward IPv6 fragmented packets when passing" and lacks mtu size reduction as found in ip_fragment(). Add mtu size reductions based on ip_fragment() code. Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at> --- Patch needs further testing in specific scenarios (e.g. fragmented IPv6 packet within PPPoE over bridge) to confirm correct operation. net/ipv6/ip6_output.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)