Jan Engelhardt wrote:
> On Wednesday 2010-03-17 14:55, Patrick McHardy wrote:
>>>>> + if (dst->hh != NULL) {
>>>>> + neigh_hh_output(dst->hh, skb);
>>>>> + } else if (dst->neighbour != NULL) {
>>>>> + dst->neighbour->output(skb);
>>>>> + } else {
>>>>> + if (net_ratelimit())
>>>>> + pr_debug(KBUILD_MODNAME
>>>>> + "no hdr & no neighbour cache!\n");
>>>>> + kfree_skb(skb);
>>>>> + }
>>>>> +}
>>>> Remind me again why we need this duplicated output function?
>> You can use dst_output() and set IPSKB_REROUTED to skip the hook
>> invocation. This will potentially perform fragmentation however.
>
> We don't have IPSKB_REROUTED for IPv6 currently.
>
> While I was pondering adding that, I noticed another upside-down
> world:
>
> - iptables POSTROUTING is invoked before outgoing fragmentation
> (verified using ping -s 65000 localhost, and watching with both
> ipt_LOG and tcpdump.)
>
> - ip6tables POSTROUTING is invoked after outgoing fragmentation
That's correct. We used to invoke IPv4 POST_ROUTING after fragmentation
as well just to defragment the packets in conntrack immediately
afterwards, but that got changed during the netfilter-ipsec integration.
Ideally IPv6 would behave like IPv4.
> Also, if I am reading right, POSTROUTING is invoked twice for v6
> multicast.
I can see one invocation for loopback and one for non-loopback.
That's fine.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
