Thank you for your reply! > Some network devices that would not able to ping large packet under > bridge, but large packet ping is successful if not enable NF_CONNTRACK_BRIDGE. > Can you add a new test to tools/testing/selftests/net/netfilter/ that demonstrates this problem? Maybe I can't demonstrate this problem with a shell script, I actually discovered this problem while debugging a wifi network device. This netdevice is set a large needed_headroom(80), so ll_rs is oversize and goto blackhole. We can easily to reproduce it by configing needed_headroom in a netdevice, then add this netdevice to a bridge, and test bridge forwarding. ping large packet could reproduce this appearance.(successful if not enable NF_CONNTRACK_BRIDGE) > I guess this should be > > if (first_len - hlen > mtu) > goto blackhole; > if (skb_headroom(skb) < ll_rs) > goto expand_headroom; > ... but I'm not sure what the actual problem is. Yes, your guess is correct! Actual problem: I think it is unreasonable to directly drop skb with insufficient headroom. > Why does this need to make a full skb copy? > Should that be using skb_expand_head()? Using skb_expand_head has the same effect. > Actually, can't you just (re)use the slowpath for the skb_headroom < ll_rs case instead of adding headroom expansion? I tested it just now, reuse the slowpath will successed. But maybe this change cannot resolve all cases if the netdevice really needs this headroom. Best Regards, Huajian -----邮件原件----- 发件人: Florian Westphal [mailto:fw@xxxxxxxxx] 发送时间: 2025年4月9日 17:18 收件人: Yang Huajian(杨华健) <huajianyang@xxxxxxxxxxxx> 抄送: pablo@xxxxxxxxxxxxx; kadlec@xxxxxxxxxxxxx; razor@xxxxxxxxxxxxx; idosch@xxxxxxxxxx; davem@xxxxxxxxxxxxx; dsahern@xxxxxxxxxx; edumazet@xxxxxxxxxx; kuba@xxxxxxxxxx; pabeni@xxxxxxxxxx; horms@xxxxxxxxxx; netfilter-devel@xxxxxxxxxxxxxxx; coreteam@xxxxxxxxxxxxx; bridge@xxxxxxxxxxxxxxx; netdev@xxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx 主题: Re: [PATCH] net: Expand headroom to send fragmented packets in bridge fragment forward Huajian Yang <huajianyang@xxxxxxxxxxxx> wrote: > The config NF_CONNTRACK_BRIDGE will change the way fragments are processed. > Bridge does not know that it is a fragmented packet and forwards it > directly, after NF_CONNTRACK_BRIDGE is enabled, function > nf_br_ip_fragment will check and fraglist this packet. > > Some network devices that would not able to ping large packet under > bridge, but large packet ping is successful if not enable NF_CONNTRACK_BRIDGE. Can you add a new test to tools/testing/selftests/net/netfilter/ that demonstrates this problem? > In function nf_br_ip_fragment, checking the headroom before sending is > undoubted, but it is unreasonable to directly drop skb with > insufficient headroom. Are we talking about if (first_len - hlen > mtu or skb_headroom(skb) < ll_rs) ? > > if (first_len - hlen > mtu || > skb_headroom(skb) < ll_rs) > - goto blackhole; > + goto expand_headroom; I guess this should be if (first_len - hlen > mtu) goto blackhole; if (skb_headroom(skb) < ll_rs) goto expand_headroom; ... but I'm not sure what the actual problem is. > +expand_headroom: > + struct sk_buff *expand_skb; > + > + expand_skb = skb_copy_expand(skb, ll_rs, skb_tailroom(skb), GFP_ATOMIC); > + if (unlikely(!expand_skb)) > + goto blackhole; Why does this need to make a full skb copy? Should that be using skb_expand_head()? > slow_path: Actually, can't you just (re)use the slowpath for the skb_headroom < ll_rs case instead of adding headroom expansion?
