From: Eli Cooper <elicoo...@gmx.com>
Date: Tue, 29 Nov 2016 10:35:28 +0800
> When xfrm is applied to TSO/GSO packets, it follows this path:
>
> xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
>
> where skb_gso_segment() relies on skb->protocol to function properly.
>
> This patch sets skb->protocol properly before dst_output() is called,
> fixing a bug where GSO packets sent through a sit or ipip6 tunnel are
> dropped when xfrm is involved.
>
> Cc: sta...@vger.kernel.org
> Signed-off-by: Eli Cooper <elicoo...@gmx.com>
> ---
> net/ipv4/ip_output.c | 4 +++-
> net/ipv6/output_core.c | 4 +++-
> 2 files changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 105908d..0180e44 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -117,8 +117,10 @@ int ip_local_out(struct net *net, struct sock *sk,
> struct sk_buff *skb)
> int err;
>
> err = __ip_local_out(net, sk, skb);
> - if (likely(err == 1))
> + if (likely(err == 1)) {
> + skb->protocol = htons(ETH_P_IP);
> err = dst_output(net, sk, skb);
> + }
>
__ip_local_out() potentially does a dst_output() call too via the
netfilter hook, so you definitely need to place the skb->protocol
assignment before that netfilter hook.
