>Don't strip the ml > >---------- Forwarded message ---------- >> On Thursday 2009-07-23 08:40, Giacomo wrote: >>> >>>Starting from NF_IP_PRE_ROUTING, where destination NAT and >>>de-masquerading takes place, do the packets arrive fragmented - and >>>netfilter takes care of the fragments - or do they arrive already >>>reassembled from the IP stack? >>> >>>In the first case, what is, generally speaking, the technique >>>adopted to track fragmented IP packets and assign each of them to >>>the correct flow? >> >> Connection tracking does not care about packets or their fragment >> bits per se. > >Yes but suppose a fragmented ip protocol hits the NF_IP_PRE_ROUTING hook and >there has to be destination Natted (for instance because being part of >a Masqueraded >stream). Such a packet, without a TCP header, must be recognized as part of the >masqueraded stream, and it has only an IP header, with `More >Fragments' set and some >data. How is it associated to the masqueraded flow if the packet is >not reassembled? It would not be. Hence the defragmenter is mandatory. >That is, how is it destination-NATTED? Once it is defragmented, NAT can take place. >> Because it reads out the layer-4 header (TCP/etc.) however, >> it defragments packets for simplicity. >> >>>In the second case, if I register with netfilter NF_IP_PRE_ROUTING >>>hook, which is the correct "priority" >>>to assign during registration to receive packets already reassembled? >> >> Before NF_IP_PRI_CONNTRACK_DEFRAG. > >Do you mean that before NF_IP_PRI_CONNTRACK_DEFRAG, i.e. NF_IP_PRI_FIRST, Before NF_IP_PRI_CONNTRACK_DEFRAG, fragments will be visible. >in the NF_IP_PRE_ROUTING hook, packets arrive reassembled, that is there are no >IP packets with 'More Fragments' set to true? > >Thanks a lot, very kind of you. > >Giacomo > > > -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
