On Thu, 3 Nov 2016 22:34:34 +0100 Hannes Frederic Sowa <han...@stressinduktion.org> wrote: > Correct, but we should maybe redefine the code a bit. From my > understanding we can now create an ICMP storm in case every fragment gets.
Yes, you are right. Each segment gets into ip_fragment, and due to outer DF being set, ICMP_FRAG_NEEDED is sent per segment. BTW, suppose GRO is off, and sender actually did send a burst of (non-gso) packets with outer DF set, and each was tunnel encapsulated, resulting in oversized frames. Would'nt the stack just send the ICMP_FRAG_NEEDED per encapsulated frame? If so, then the GRO behaviour is aligned, and there's nothing to fix. Best, Shmulik
