On Wednesday 2010-02-10 20:26, Jozsef Kadlecsik wrote: >> >> This might actually be a bug. IPv4 uses: >> >> NF_IP_PRI_FIRST = INT_MIN, >> NF_IP_PRI_CONNTRACK_DEFRAG = -400, >> NF_IP_PRI_RAW = -300, >> NF_IP_PRI_SELINUX_FIRST = -225, >> NF_IP_PRI_CONNTRACK = -200, >> >> while IPv6 uses: >> >> NF_IP6_PRI_FIRST = INT_MIN, >> NF_IP6_PRI_CONNTRACK_DEFRAG = -400, >> NF_IP6_PRI_SELINUX_FIRST = -225, >> NF_IP6_PRI_CONNTRACK = -200, >> >> So we actually defragment packets in IPv4 even though they're >> untracked. Perhaps Jozsef knows more details why we use >> different priorities here. > >We have to defragment otherwise we could not track and untrack connections >at the same time. Fragments don't carry protocol/port so we cannot tell >which fragment belongs to a not tracked and which one belongs to a tracked >connection. How so? If I untrack something in the raw table, I would have assumed it skips all conntracking - including defrag. Even before defrag, what's wrong with skb->nfct = &the_untracked_conn? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
