On Wed, 10 Feb 2010, Jan Engelhardt wrote: > On Wednesday 2010-02-10 20:26, Jozsef Kadlecsik wrote: > >> > >> This might actually be a bug. IPv4 uses: > >> > >> NF_IP_PRI_FIRST = INT_MIN, > >> NF_IP_PRI_CONNTRACK_DEFRAG = -400, > >> NF_IP_PRI_RAW = -300, > >> NF_IP_PRI_SELINUX_FIRST = -225, > >> NF_IP_PRI_CONNTRACK = -200, > >> > >> while IPv6 uses: > >> > >> NF_IP6_PRI_FIRST = INT_MIN, > >> NF_IP6_PRI_CONNTRACK_DEFRAG = -400, > >> NF_IP6_PRI_SELINUX_FIRST = -225, > >> NF_IP6_PRI_CONNTRACK = -200, > >> > >> So we actually defragment packets in IPv4 even though they're > >> untracked. Perhaps Jozsef knows more details why we use > >> different priorities here. > > > >We have to defragment otherwise we could not track and untrack connections > >at the same time. Fragments don't carry protocol/port so we cannot tell > >which fragment belongs to a not tracked and which one belongs to a tracked > >connection. > > How so? If I untrack something in the raw table, I would have > assumed it skips all conntracking - including defrag. Let's assume that you don't want to track the UDP DNS lookups to your busy DNS server but want to track all other connections: iptables -t raw -A PREROUTING -d dns.server -p udp --dport 53 -j NOTRACK iptables -t raw -A PREROUTING -s dns.server -p udp --sport 53 -j NOTRACK If the fragments were visible in the raw table, what rule would you use to handle them? Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
