• Bernhard Thaler's avatar
    netfilter: bridge: forward IPv6 fragmented packets · efb6de9b
    Bernhard Thaler authored
    IPv6 fragmented packets are not forwarded on an ethernet bridge
    with netfilter ip6_tables loaded. e.g. steps to reproduce
    
    1) create a simple bridge like this
    
            modprobe br_netfilter
            brctl addbr br0
            brctl addif br0 eth0
            brctl addif br0 eth2
            ifconfig eth0 up
            ifconfig eth2 up
            ifconfig br0 up
    
    2) place a host with an IPv6 address on each side of the bridge
    
            set IPv6 address on host A:
            ip -6 addr add fd01:2345:6789:1::1/64 dev eth0
    
            set IPv6 address on host B:
            ip -6 addr add fd01:2345:6789:1::2/64 dev eth0
    
    3) run a simple ping command on host A with packets > MTU
    
            ping6 -s 4000 fd01:2345:6789:1::2
    
    4) wait some time and run e.g. "ip6tables -t nat -nvL" on the bridge
    
    IPv6 fragmented packets traverse the bridge cleanly until somebody runs.
    "ip6tables -t nat -nvL". As soon as it is run (and netfilter modules are
    loaded) IPv6 fragmented packets do not traverse the bridge any more (you
    see no more responses in ping's output).
    
    After applying this patch IPv6 fragmented packets traverse the bridge
    cleanly in above scenario.
    Signed-off-by: default avatarBernhard Thaler <bernhard.thaler@wvnet.at>
    [pablo@netfilter.org: small changes to br_nf_dev_queue_xmit]
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    efb6de9b
netfilter.c 5.54 KB