Jan Engelhardt wrote: > On Wednesday 2010-02-10 20:26, Jozsef Kadlecsik wrote: >>> This might actually be a bug. IPv4 uses: >>> >>> NF_IP_PRI_FIRST = INT_MIN, >>> NF_IP_PRI_CONNTRACK_DEFRAG = -400, >>> NF_IP_PRI_RAW = -300, >>> NF_IP_PRI_SELINUX_FIRST = -225, >>> NF_IP_PRI_CONNTRACK = -200, >>> >>> while IPv6 uses: >>> >>> NF_IP6_PRI_FIRST = INT_MIN, >>> NF_IP6_PRI_CONNTRACK_DEFRAG = -400, >>> NF_IP6_PRI_SELINUX_FIRST = -225, >>> NF_IP6_PRI_CONNTRACK = -200, >>> >>> So we actually defragment packets in IPv4 even though they're >>> untracked. Perhaps Jozsef knows more details why we use >>> different priorities here. >> We have to defragment otherwise we could not track and untrack connections >> at the same time. Fragments don't carry protocol/port so we cannot tell >> which fragment belongs to a not tracked and which one belongs to a tracked >> connection. > > How so? If I untrack something in the raw table, I would have > assumed it skips all conntracking - including defrag. > > Even before defrag, what's wrong with skb->nfct = &the_untracked_conn? You can't construct your ruleset to properly deal with fragments. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
