[NETFILTER]: Fix fragmentation issues with bridge netfilter

[net-next-2.6.git] / net / ipv4 / ip_output.c

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 71da31818cfc434473678fe149c1c9b9c692cdf8..8dcba3887f04eb647df01ae404b3b9bda955408d 100644 (file)
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -69,6 +69,7 @@
 #include <net/ip.h>
 #include <net/protocol.h>
 #include <net/route.h>
+#include <net/xfrm.h>
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <net/arp.h>
@@ -202,6 +203,13 @@ static inline int ip_finish_output2(struct sk_buff *skb)
 
 static inline int ip_finish_output(struct sk_buff *skb)
 {
+#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
+       /* Policy lookup after SNAT yielded a new policy */
+       if (skb->dst->xfrm != NULL) {
+               IPCB(skb)->flags |= IPSKB_REROUTED;
+               return dst_output(skb);
+       }
+#endif
        if (skb->len > dst_mtu(skb->dst) &&
            !(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
                return ip_fragment(skb, ip_finish_output2);
@@ -263,8 +271,9 @@ int ip_mc_output(struct sk_buff *skb)
                                newskb->dev, ip_dev_loopback_xmit);
        }
 
-       return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
-                      ip_finish_output);
+       return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
+                           ip_finish_output,
+                           !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
 int ip_output(struct sk_buff *skb)
@@ -276,8 +285,9 @@ int ip_output(struct sk_buff *skb)
        skb->dev = dev;
        skb->protocol = htons(ETH_P_IP);
 
-       return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
-                      ip_finish_output);
+       return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
+                           ip_finish_output,
+                           !(IPCB(skb)->flags & IPSKB_REROUTED));
 }
 
 int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
@@ -418,7 +428,7 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
        struct sk_buff *skb2;
        unsigned int mtu, hlen, left, len, ll_rs;
        int offset;
-       int not_last_frag;
+       __be16 not_last_frag;
        struct rtable *rt = (struct rtable*)skb->dst;
        int err = 0;
 
@@ -661,6 +671,8 @@ fail:
        return err;
 }
 
+EXPORT_SYMBOL(ip_fragment);
+
 int
 ip_generic_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
 {
@@ -835,10 +847,11 @@ int ip_append_data(struct sock *sk,
        if (((length > mtu) && (sk->sk_protocol == IPPROTO_UDP)) &&
                        (rt->u.dst.dev->features & NETIF_F_UFO)) {
 
-               if(ip_ufo_append_data(sk, getfrag, from, length, hh_len,
-                              fragheaderlen, transhdrlen, mtu, flags))
+               err = ip_ufo_append_data(sk, getfrag, from, length, hh_len,
+                                        fragheaderlen, transhdrlen, mtu,
+                                        flags);
+               if (err)
                        goto error;
-
                return 0;
        }
 
@@ -1180,7 +1193,7 @@ int ip_push_pending_frames(struct sock *sk)
        struct ip_options *opt = NULL;
        struct rtable *rt = inet->cork.rt;
        struct iphdr *iph;
-       int df = 0;
+       __be16 df = 0;
        __u8 ttl;
        int err = 0;
 
@@ -1236,11 +1249,7 @@ int ip_push_pending_frames(struct sock *sk)
        iph->tos = inet->tos;
        iph->tot_len = htons(skb->len);
        iph->frag_off = df;
-       if (!df) {
-               __ip_select_ident(iph, &rt->u.dst, 0);
-       } else {
-               iph->id = htons(inet->id++);
-       }
+       ip_select_ident(iph, &rt->u.dst, sk);
        iph->ttl = ttl;
        iph->protocol = sk->sk_protocol;
        iph->saddr = rt->rt_src;
@@ -1391,7 +1400,6 @@ void __init ip_init(void)
 #endif
 }
 
-EXPORT_SYMBOL(ip_fragment);
 EXPORT_SYMBOL(ip_generic_getfrag);
 EXPORT_SYMBOL(ip_queue_xmit);
 EXPORT_SYMBOL(ip_send_check);