On Wednesday 2010-02-10 20:46, Patrick McHardy wrote: >Jan Engelhardt wrote: >> On Wednesday 2010-02-10 20:26, Jozsef Kadlecsik wrote: >>>> This might actually be a bug. IPv4 uses: >>>> >>>> NF_IP_PRI_FIRST = INT_MIN, >>>> NF_IP_PRI_CONNTRACK_DEFRAG = -400, >>>> NF_IP_PRI_RAW = -300, >>>> NF_IP_PRI_SELINUX_FIRST = -225, >>>> NF_IP_PRI_CONNTRACK = -200, >>>> >>>> while IPv6 uses: >>>> >>>> NF_IP6_PRI_FIRST = INT_MIN, >>>> NF_IP6_PRI_CONNTRACK_DEFRAG = -400, >>>> NF_IP6_PRI_SELINUX_FIRST = -225, >>>> NF_IP6_PRI_CONNTRACK = -200, >>>> >>>> So we actually defragment packets in IPv4 even though they're >>>> untracked. Perhaps Jozsef knows more details why we use >>>> different priorities here. >>> We have to defragment otherwise we could not track and untrack connections >>> at the same time. Fragments don't carry protocol/port so we cannot tell >>> which fragment belongs to a not tracked and which one belongs to a tracked >>> connection. >> >> How so? If I untrack something in the raw table, I would have >> assumed it skips all conntracking - including defrag. >> >> Even before defrag, what's wrong with skb->nfct = &the_untracked_conn? > >You can't construct your ruleset to properly deal with fragments. NOTRACK is (also) used for cases where we know packets will go to various forms of tarpits (same, REJECT, DROP), in which case fragments usually won't be of interest either. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html