From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu, 6 Apr 2006 19:44:25 +0000 (-0700)
Subject: netfilter patch added to the queue
X-Git-Tag: v2.6.16.2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=33ae391a98228a5d91d3059c7af7b0ccc2091322;p=thirdparty%2Fkernel%2Fstable-queue.git

netfilter patch added to the queue
---

diff --git a/queue-2.6.16/netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch b/queue-2.6.16/netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch
new file mode 100644
index 00000000000..5798ea2ef29
--- /dev/null
+++ b/queue-2.6.16/netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch
@@ -0,0 +1,99 @@
+From kaber@trash.net Thu Apr  6 09:54:12 2006
+Message-ID: <4435471A.5010604@trash.net>
+Date: Thu, 06 Apr 2006 18:51:38 +0200
+From: Patrick McHardy <kaber@trash.net>
+To: Greg KH <greg@kroah.com>
+CC: stable@kernel.org,  davem@davemloft.net
+Subject: NETFILTER: Fix fragmentation issues with bridge netfilter
+
+[NETFILTER]: Fix fragmentation issues with bridge netfilter
+
+The conntrack code doesn't do re-fragmentation of defragmented packets
+anymore but relies on fragmentation in the IP layer. Purely bridged
+packets don't pass through the IP layer, so the bridge netfilter code
+needs to take care of fragmentation itself.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ include/net/ip.h          |    1 +
+ net/bridge/br_netfilter.c |   13 +++++++++++--
+ net/ipv4/ip_output.c      |    6 +++---
+ 3 files changed, 15 insertions(+), 5 deletions(-)
+
+--- linux-2.6.16.1.orig/include/net/ip.h
++++ linux-2.6.16.1/include/net/ip.h
+@@ -95,6 +95,7 @@ extern int		ip_local_deliver(struct sk_b
+ extern int		ip_mr_input(struct sk_buff *skb);
+ extern int		ip_output(struct sk_buff *skb);
+ extern int		ip_mc_output(struct sk_buff *skb);
++extern int		ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff *));
+ extern int		ip_do_nat(struct sk_buff *skb);
+ extern void		ip_send_check(struct iphdr *ip);
+ extern int		ip_queue_xmit(struct sk_buff *skb, int ipfragok);
+--- linux-2.6.16.1.orig/net/bridge/br_netfilter.c
++++ linux-2.6.16.1/net/bridge/br_netfilter.c
+@@ -739,6 +739,15 @@ out:
+ 	return NF_STOLEN;
+ }
+ 
++static int br_nf_dev_queue_xmit(struct sk_buff *skb)
++{
++	if (skb->protocol == htons(ETH_P_IP) &&
++	    skb->len > skb->dev->mtu &&
++	    !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
++		return ip_fragment(skb, br_dev_queue_push_xmit);
++	else
++		return br_dev_queue_push_xmit(skb);
++}
+ 
+ /* PF_BRIDGE/POST_ROUTING ********************************************/
+ static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb,
+@@ -798,7 +807,7 @@ static unsigned int br_nf_post_routing(u
+ 		realoutdev = nf_bridge->netoutdev;
+ #endif
+ 	NF_HOOK(pf, NF_IP_POST_ROUTING, skb, NULL, realoutdev,
+-	        br_dev_queue_push_xmit);
++	        br_nf_dev_queue_xmit);
+ 
+ 	return NF_STOLEN;
+ 
+@@ -843,7 +852,7 @@ static unsigned int ip_sabotage_out(unsi
+ 	if ((out->hard_start_xmit == br_dev_xmit &&
+ 	    okfn != br_nf_forward_finish &&
+ 	    okfn != br_nf_local_out_finish &&
+-	    okfn != br_dev_queue_push_xmit)
++	    okfn != br_nf_dev_queue_xmit)
+ #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE)
+ 	    || ((out->priv_flags & IFF_802_1Q_VLAN) &&
+ 	    VLAN_DEV_INFO(out)->real_dev->hard_start_xmit == br_dev_xmit)
+--- linux-2.6.16.1.orig/net/ipv4/ip_output.c
++++ linux-2.6.16.1/net/ipv4/ip_output.c
+@@ -86,8 +86,6 @@
+ 
+ int sysctl_ip_default_ttl = IPDEFTTL;
+ 
+-static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*));
+-
+ /* Generate a checksum for an outgoing IP datagram. */
+ __inline__ void ip_send_check(struct iphdr *iph)
+ {
+@@ -421,7 +419,7 @@ static void ip_copy_metadata(struct sk_b
+  *	single device frame, and queue such a frame for sending.
+  */
+ 
+-static int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
++int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
+ {
+ 	struct iphdr *iph;
+ 	int raw = 0;
+@@ -673,6 +671,8 @@ fail:
+ 	return err;
+ }
+ 
++EXPORT_SYMBOL(ip_fragment);
++
+ int
+ ip_generic_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
+ {
diff --git a/queue-2.6.16/series b/queue-2.6.16/series
index aa797883ede..09d8d1793c8 100644
--- a/queue-2.6.16/series
+++ b/queue-2.6.16/series
@@ -3,3 +3,4 @@ powerpc-fix-incorrect-sa_onstack-behaviour-for-64-bit-processes.patch
 mpbl0010-driver-sysfs-permissions-wide-open.patch
 isd200-limit-to-blk_dev_ide.patch
 sky2-bad-memory-reference-on-dual-port-cards.patch
+netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch