On Tue, Mar 7, 2023 at 12:11 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > Daniel Xu <dxu@xxxxxxxxx> wrote: > > From my reading (I'll run some tests later) it looks like netfilter > > will defrag all ipv4/ipv6 packets in any netns with conntrack enabled. > > It appears to do so in NF_INET_PRE_ROUTING. > > Yes, and output. > > > One thing we would need though are (probably kfunc) wrappers around > > nf_defrag_ipv4_enable() and nf_defrag_ipv6_enable() to ensure BPF progs > > are not transitively depending on defrag support from other netfilter > > modules. > > > > The exact mechanism would probably need some thinking, as the above > > functions kinda rely on module_init() and module_exit() semantics. We > > cannot make the prog bump the refcnt every time it runs -- it would > > overflow. And it would be nice to automatically free the refcnt when > > prog is unloaded. > > Probably add a flag attribute that is evaluated at BPF_LINK time, so > progs can say they need defrag enabled. Same could be used to request > conntrack enablement. > > Will need some glue on netfilter side to handle DEFRAG=m, but we already > have plenty of those. All makes perfect sense to me. It's cleaner than a special netdevice. ipv4_conntrack_defrag() is pretty neat. I didn't know about it. If we can reuse it as-is that would be ideal. Conceptually it fits perfectly. If we cannot reuse it (for whatever unlikely reason) I would argue that TC hook should gain similar functionality.
