Re: [PATCH] ipvs: fix ipv6 icmp forwarding in natted services

To: Ansis Atteka <aatteka@xxxxxxxxxx>, kaber@xxxxxxxxx
Subject: Re: [PATCH] ipvs: fix ipv6 icmp forwarding in natted services
Cc: Art -kwaak- van Breemen <ard@xxxxxxxxxxxxxxx>, Julian Anastasov <ja@xxxxxx>, lvs-devel@xxxxxxxxxxxxxxx, Jesper Dangaard Brouer <brouer@xxxxxxxxxx>
From: Hans Schillstrom <hans@xxxxxxxxxxxxxxx>
Date: Wed, 19 Feb 2014 22:46:49 +0100
Hi Ansis & Patrick

On Wed, 2014-02-19 at 12:32 -0800, Ansis Atteka wrote:
> On Wed, Feb 19, 2014 at 10:21 AM, Art -kwaak- van Breemen
> <ard@xxxxxxxxxxxxxxx> wrote:
> >
> > Hans,
> > I want to keep the patch as is, but change the description:
> >
> > ====
> > [PATCH] ipvs: fix wrong icmp_offset in ip_vs_nat_icmp_v6
> > From: Ard van Breemen <ard@xxxxxxxxxxxxxxx>
> >
> >
> > Fix regression introduced in 3.8 with commit 9195bb8e381d81
> > ("ipv6: improve ipv6_find_hdr() to skip empty routing headers")
> > which broke commit 63dca2c0b0e7a9
> > ("ipvs: Fix faulty IPv6 extension header handling in IPVS").
> > by a small change in ipv6_find_hdr: finding specific protocols is not
> > supported anymore, use -1 instead. Solves (pmtud) problems caused by
> > damaged IPv6 headers in NAT-ed ICMP packets.
> >
> > Signed-off-by: Ard van Breemen <ard@xxxxxxxxxxxxxxx>
> > CC: Jesper Dangaard Brouer <brouer@xxxxxxxxxx>
> > CC: Hans Schillstrom <hans@xxxxxxxxxxxxxxx>
> >
> > ---
> >
> > Do you and Ansis agree with me?
> My changes to this function were necessary for the Open vSwitch
> set_ipv6() action implementation so that checksums would be correctly
> recalculated.
> I introduced IP6_FH_F_SKIP_RH flag that skips all Routing Headers,
> where segments_left==0. This flag allows Open vSwitch kernel module to
> figure out whether it needs to recalculate checksum after changing
> destination IP address in IPv6 header. In ipv6 the checkum is
> calculated over final destination IP address that could also be in
> Routing Header intead of ipv6 header (see rfc2460 section 8.1 for more
> details).
> I believe your patch would break meaning of IP6_FH_F_SKIP_RH flag,
> because it would exit early when it saw Routing Header where segments
> left == 0.

I saw that too in openvswitch/actions.c, i.e it will break your patch

But if you want to find a specific header ex. NEXTHDR_GRE,
that is not in ipv6_ext_hdr() ipv6_find_hdr() will fail to do that
it will return -ENOENT

I still think ipv6_find_hdr is broken for nft_exthdr_eval() after
commit 9195bb8e381d81d5a315f911904cdf0cfcc919b8

I guess the intention with nft_exthdr_eval() is to be able to find any
extension header or ?

I might be wrong here ...


> --
> To unsubscribe from this list: send the line "unsubscribe lvs-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at

Attachment: smime.p7s
Description: S/MIME cryptographic signature

<Prev in Thread] Current Thread [Next in Thread>