netfilter: nf_flow_table: ignore DF bit setting

commit e75b3e1c9bc5b997d09bdf8eb72ab3dd3c1a7072 upstream. Its irrelevant if the DF bit is set or not, we must pass packet to stack in either case. If the DF bit is set, we must pass it to stack so the appropriate ICMP error can be generated. If the DF is not set, we must pass it to stack for fragmentation. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Florian Westphal <fw@strlen.de> 2019-05-21 13:24:30 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-07-10 09:53:30 +0200
commit: 3b2734bc839d188e44934f5f2f4fe9a487bdaa47 (patch)
tree: 326c86b28f78a87b81115c377eb1bc72480bf4ab
parent: 869eec894663f6ef48859e4f86bd7e62daf2345a (diff)
download: linux-stable-3b2734bc839d188e44934f5f2f4fe9a487bdaa47.tar.gz
1 files changed, 1 insertions, 2 deletions
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 129e9ec99ec97..a8c9ea12c3f58 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -246,8 +246,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
 	flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
 	rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
 
-	if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)) &&
-	    (ip_hdr(skb)->frag_off & htons(IP_DF)) != 0)
+	if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
 		return NF_ACCEPT;
 
 	if (skb_try_make_writable(skb, sizeof(*iph)))
author	Florian Westphal <fw@strlen.de>	2019-05-21 13:24:30 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-07-10 09:53:30 +0200
commit	3b2734bc839d188e44934f5f2f4fe9a487bdaa47 (patch)
tree	326c86b28f78a87b81115c377eb1bc72480bf4ab
parent	869eec894663f6ef48859e4f86bd7e62daf2345a (diff)
download	linux-stable-3b2734bc839d188e44934f5f2f4fe9a487bdaa47.tar.gz