Shan Wei wrote:
> Patrick McHardy wrote, at 02/04/2010 12:42 AM:
>> Shan Wei wrote:
>>> @@ -349,17 +378,20 @@ static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
>>> else
>>> fq->q.fragments = skb;
>>>
>>> - skb->dev = NULL;
>>> fq->q.stamp = skb->tstamp;
>>> fq->q.meat += skb->len;
>>> atomic_add(skb->truesize, &nf_init_frags.mem);
>>>
>>> /* The first fragment.
>>> * nhoffset is obtained from the first fragment, of course.
>>> + * Reserve dev for sending an ICMP "Fragment Reassembly Timeout"
>>> + * message.
>>> */
>>> if (offset == 0) {
>>> fq->nhoffset = nhoff;
>>> fq->q.last_in |= INET_FRAG_FIRST_IN;
>>> + } else {
>>> + skb->dev = NULL;
>>> }
>> We need to store the iif and perform a lookup later just as in IPv4
>> because the device is not reference counted and might disappear while
>> the fragments are queued.
>
> There is no net namespace in nf_conntrack_reasm,
> So we can't look up net device according to stored iif.
>
> How about introducing net namespace to nf_conntrack_reasm?
> There are the following two advantages:
> 1. nf_init_frags can be deleted, because net structure includes netns_frags structure member.
>
> 2. Record counter value, e.g. IPSTATS_MIB_REASMFAILS if reassamble with fail.
> Since IPv6 conntrack fails to reassamble fragments, then the original fragment is not forwarded to IPv6 stack.
> The counter value can't be recorded. But IPv4 conntrack uses IPv4 defrag code, and records
> counter value correctly.
>
> These are just my thoughts, no practice.
Sounds good to me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
