{"id":2223988,"url":"http://patchwork.ozlabs.org/api/patches/2223988/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260416131453.308611-9-pablo@netfilter.org/","project":{"id":26,"url":"http://patchwork.ozlabs.org/api/projects/26/?format=json","name":"Netfilter Development","link_name":"netfilter-devel","list_id":"netfilter-devel.vger.kernel.org","list_email":"netfilter-devel@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260416131453.308611-9-pablo@netfilter.org>","list_archive_url":null,"date":"2026-04-16T13:14:50","name":"[net,08/11] ipvs: fix MTU check for GSO packets in tunnel mode","commit_ref":null,"pull_url":null,"state":"superseded","archived":true,"hash":"c82809ed53d9933502506ec6d601874ebab2232b","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/?format=json","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"delegate":{"id":11902,"url":"http://patchwork.ozlabs.org/api/users/11902/?format=json","username":"strlen","first_name":"Florian","last_name":"Westphal","email":"fw@strlen.de"},"mbox":"http://patchwork.ozlabs.org/project/netfilter-devel/patch/20260416131453.308611-9-pablo@netfilter.org/mbox/","series":[{"id":500161,"url":"http://patchwork.ozlabs.org/api/series/500161/?format=json","web_url":"http://patchwork.ozlabs.org/project/netfilter-devel/list/?series=500161","date":"2026-04-16T13:14:48","name":"[net,01/11] netfilter: arp_tables: fix IEEE1394 ARP payload parsing in arp_packet_match()","version":1,"mbox":"http://patchwork.ozlabs.org/series/500161/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2223988/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2223988/checks/","tags":{},"related":[],"headers":{"Return-Path":"\n <netfilter-devel+bounces-11976-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=JnKpWhU4;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c15:e001:75::12fc:5321; helo=sin.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-11976-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"JnKpWhU4\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sin.lore.kernel.org (sin.lore.kernel.org\n [IPv6:2600:3c15:e001:75::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fxJWT0QSjz1yG9\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 23:19:17 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sin.lore.kernel.org (Postfix) with ESMTP id 3CD66305E340\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 16 Apr 2026 13:15:55 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 53BC63C13E5;\n\tThu, 16 Apr 2026 13:15:15 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 4E17C3BF68F;\n\tThu, 16 Apr 2026 13:15:13 +0000 (UTC)","from localhost.localdomain (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with ESMTPSA id 31FA160177;\n\tThu, 16 Apr 2026 15:15:11 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776345314; cv=none;\n b=i2fwnFb9WCDU8yIvAWez62t1ngjiGMn2M+wtgoj2PDkrNkyfu0IQfhyucVRNIhs/io+ZUzQ4sAE4mPqGMcsSBku7Of/hKwoaVEZ98T1nJ1yUx+/YNy46v/PHuuuZ4zlZJOCwetjwSQ4zN0INyt8uYiMOgYnvMzpkLYkJUVYhFSU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776345314; c=relaxed/simple;\n\tbh=K3jCvsals8BPY7qGgU/izMTL7eFMYcpuqpfYf5bWk6I=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=fP1ZYr364hVeFZqvYueZ2iJiFIa9qhEEqAzNnMm4trtNVGCVYgP30utedD33OYMa+5vJao5bsNZPOMNk/i2Kk6c/x0dORkLkwGe+xVFDctzxgLx9Ab8s6BWPIqr32CKtrT3Fvjzad5jutvoW1w/+KGDND3BnlBSPxv55zPVKaIM=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=JnKpWhU4; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1776345311;\n\tbh=fkRYP2uZVZjeOQ1Q6YgYeZAja49M92t1g5wZ2mqC/nQ=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=JnKpWhU4bus84SpADQ/4rc5FznTivDPkz3xaavLN07iuZeef2KgyMdQ/bIivrbxD6\n\t oM4+H0CP9SWWuzHbaHf5OF+0nxF3syy/zohpm6wcB9t3hM0QTDEnoTfZ1d/KrkFLNr\n\t ljh7RxurnbF/j6aLjNMPrHnD3H5s+ktrGdrrGCrBVArLdTOjOSbVM3vqMpTQrTcqM/\n\t wq8vpT4skwCs6Mk2WO2hk4gq4Rnk6IIsLbv7m6z0PNneof6teo7wHfhd8EBTNCmGcD\n\t YmkZ6sM6eFZxZ/0G0mh3Ssqit+v+f0ZHIzerxfJJk6P3nBBMIsmZUa7Dr4ykGD8pka\n\t S4IXfzgYiWPlg==","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"netfilter-devel@vger.kernel.org","Cc":"davem@davemloft.net,\n\tnetdev@vger.kernel.org,\n\tkuba@kernel.org,\n\tpabeni@redhat.com,\n\tedumazet@google.com,\n\tfw@strlen.de,\n\thorms@kernel.org","Subject":"[PATCH net 08/11] ipvs: fix MTU check for GSO packets in tunnel mode","Date":"Thu, 16 Apr 2026 15:14:50 +0200","Message-ID":"<20260416131453.308611-9-pablo@netfilter.org>","X-Mailer":"git-send-email 2.47.3","In-Reply-To":"<20260416131453.308611-1-pablo@netfilter.org>","References":"<20260416131453.308611-1-pablo@netfilter.org>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"<netfilter-devel.vger.kernel.org>","List-Subscribe":"<mailto:netfilter-devel+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:netfilter-devel+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit"},"content":"From: Yingnan Zhang <342144303@qq.com>\n\nCurrently, IPVS skips MTU checks for GSO packets by excluding them with\nthe !skb_is_gso(skb) condition. This creates problems when IPVS tunnel\nmode encapsulates GSO packets with IPIP headers.\n\nThe issue manifests in two ways:\n\n1. MTU violation after encapsulation:\n   When a GSO packet passes through IPVS tunnel mode, the original MTU\n   check is bypassed. After adding the IPIP tunnel header, the packet\n   size may exceed the outgoing interface MTU, leading to unexpected\n   fragmentation at the IP layer.\n\n2. Fragmentation with problematic IP IDs:\n   When net.ipv4.vs.pmtu_disc=1 and a GSO packet with multiple segments\n   is fragmented after encapsulation, each segment gets a sequentially\n   incremented IP ID (0, 1, 2, ...). This happens because:\n\n   a) The GSO packet bypasses MTU check and gets encapsulated\n   b) At __ip_finish_output, the oversized GSO packet is split into\n      separate SKBs (one per segment), with IP IDs incrementing\n   c) Each SKB is then fragmented again based on the actual MTU\n\n   This sequential IP ID allocation differs from the expected behavior\n   and can cause issues with fragment reassembly and packet tracking.\n\nFix this by properly validating GSO packets using\nskb_gso_validate_network_len(). This function correctly validates\nwhether the GSO segments will fit within the MTU after segmentation. If\nvalidation fails, send an ICMP Fragmentation Needed message to enable\nproper PMTU discovery.\n\nFixes: 4cdd34084d53 (\"netfilter: nf_conntrack_ipv6: improve fragmentation handling\")\nSigned-off-by: Yingnan Zhang <342144303@qq.com>\nAcked-by: Julian Anastasov <ja@ssi.bg>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/netfilter/ipvs/ip_vs_xmit.c | 19 +++++++++++++++----\n 1 file changed, 15 insertions(+), 4 deletions(-)","diff":"diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c\nindex 3601eb86d025..7c570f48ade2 100644\n--- a/net/netfilter/ipvs/ip_vs_xmit.c\n+++ b/net/netfilter/ipvs/ip_vs_xmit.c\n@@ -102,6 +102,18 @@ __ip_vs_dst_check(struct ip_vs_dest *dest)\n \treturn dest_dst;\n }\n \n+/* Based on ip_exceeds_mtu(). */\n+static bool ip_vs_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)\n+{\n+\tif (skb->len <= mtu)\n+\t\treturn false;\n+\n+\tif (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))\n+\t\treturn false;\n+\n+\treturn true;\n+}\n+\n static inline bool\n __mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)\n {\n@@ -111,10 +123,9 @@ __mtu_check_toobig_v6(const struct sk_buff *skb, u32 mtu)\n \t\t */\n \t\tif (IP6CB(skb)->frag_max_size > mtu)\n \t\t\treturn true; /* largest fragment violate MTU */\n-\t}\n-\telse if (skb->len > mtu && !skb_is_gso(skb)) {\n+\t} else if (ip_vs_exceeds_mtu(skb, mtu))\n \t\treturn true; /* Packet size violate MTU size */\n-\t}\n+\n \treturn false;\n }\n \n@@ -232,7 +243,7 @@ static inline bool ensure_mtu_is_adequate(struct netns_ipvs *ipvs, int skb_af,\n \t\t\treturn true;\n \n \t\tif (unlikely(ip_hdr(skb)->frag_off & htons(IP_DF) &&\n-\t\t\t     skb->len > mtu && !skb_is_gso(skb) &&\n+\t\t\t     ip_vs_exceeds_mtu(skb, mtu) &&\n \t\t\t     !ip_vs_iph_icmp(ipvsh))) {\n \t\t\ticmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED,\n \t\t\t\t  htonl(mtu));\n","prefixes":["net","08/11"]}