Daniel Xu <dxu@xxxxxxxxx> wrote: > From my reading (I'll run some tests later) it looks like netfilter > will defrag all ipv4/ipv6 packets in any netns with conntrack enabled. > It appears to do so in NF_INET_PRE_ROUTING. Yes, and output. > One thing we would need though are (probably kfunc) wrappers around > nf_defrag_ipv4_enable() and nf_defrag_ipv6_enable() to ensure BPF progs > are not transitively depending on defrag support from other netfilter > modules. > > The exact mechanism would probably need some thinking, as the above > functions kinda rely on module_init() and module_exit() semantics. We > cannot make the prog bump the refcnt every time it runs -- it would > overflow. And it would be nice to automatically free the refcnt when > prog is unloaded. Probably add a flag attribute that is evaluated at BPF_LINK time, so progs can say they need defrag enabled. Same could be used to request conntrack enablement. Will need some glue on netfilter side to handle DEFRAG=m, but we already have plenty of those.
