Hello, Jozsef Kadlecsik a écrit : > > On Wed, 24 Mar 2010, YOSHIFUJI Hideaki wrote: > >>> In this case without conntrack, IPv6 would send an ICMPv6 message, >>> so in my opinion the transparent thing to do would be to still send >>> them. Of course only if reassembly is done on an end host. >> Well, no. conntrack should just forward even uncompleted fragments >> to next process (e.g. core ipv6 code), and then the core would send >> ICMP error back. ICMP should be sent by the core ipv6 code according >> to decision of itself, not according to netfilter. > > But what state could be associated by conntrack to the uncompleted > fragments but the INVALID state? In consequence, in any sane setup, the > uncompleted fragments will be dropped silently by a filter table rule > and no ICMP error message will be sent back. AFAIK, in the IPv4 stack the reassembly takes place before the INPUT chains (NF_IP_LOCAL_IN hook). Is it different in the IPv6 stack ? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
