From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 12 Jun 2014 17:49:59 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.4.94~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7630368d4b09e7e8ae6fced02439a9519e082c6d;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
---

diff --git a/queue-3.14/netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch b/queue-3.14/netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
new file mode 100644
index 00000000000..c53cdc18a0b
--- /dev/null
+++ b/queue-3.14/netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch
@@ -0,0 +1,58 @@
+From 895162b1101b3ea5db08ca6822ae9672717efec0 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 2 May 2014 15:32:16 +0200
+Subject: netfilter: ipv4: defrag: set local_df flag on defragmented skb
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 895162b1101b3ea5db08ca6822ae9672717efec0 upstream.
+
+else we may fail to forward skb even if original fragments do fit
+outgoing link mtu:
+
+1. remote sends 2k packets in two 1000 byte frags, DF set
+2. we want to forward but only see '2k > mtu and DF set'
+3. we then send icmp error saying that outgoing link is 1500
+
+But original sender never sent a packet that would not fit
+the outgoing link.
+
+Setting local_df makes outgoing path test size vs.
+IPCB(skb)->frag_max_size, so we will still send the correct
+error in case the largest original size did not fit
+outgoing link mtu.
+
+Reported-by: Maxime Bizon <mbizon@freebox.fr>
+Suggested-by: Maxime Bizon <mbizon@freebox.fr>
+Fixes: 5f2d04f1f9 (ipv4: fix path MTU discovery with connection tracking)
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/nf_defrag_ipv4.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
++++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
+@@ -22,7 +22,6 @@
+ #endif
+ #include <net/netfilter/nf_conntrack_zones.h>
+ 
+-/* Returns new sk_buff, or NULL */
+ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+ 	int err;
+@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struc
+ 	err = ip_defrag(skb, user);
+ 	local_bh_enable();
+ 
+-	if (!err)
++	if (!err) {
+ 		ip_send_check(ip_hdr(skb));
++		skb->local_df = 1;
++	}
+ 
+ 	return err;
+ }
diff --git a/queue-3.14/series b/queue-3.14/series
index bdbdc84c6e0..ba2a88fca34 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -1 +1,2 @@
 fs-userns-change-inode_capable-to-capable_wrt_inode_uidgid.patch
+netfilter-ipv4-defrag-set-local_df-flag-on-defragmented-skb.patch