Pascal Hambourg wrote, at 03/25/2010 04:38 PM: > Hello, > > Jozsef Kadlecsik a écrit : >> On Wed, 24 Mar 2010, YOSHIFUJI Hideaki wrote: >> >>>> In this case without conntrack, IPv6 would send an ICMPv6 message, >>>> so in my opinion the transparent thing to do would be to still send >>>> them. Of course only if reassembly is done on an end host. >>> Well, no. conntrack should just forward even uncompleted fragments >>> to next process (e.g. core ipv6 code), and then the core would send >>> ICMP error back. ICMP should be sent by the core ipv6 code according >>> to decision of itself, not according to netfilter. >> But what state could be associated by conntrack to the uncompleted >> fragments but the INVALID state? In consequence, in any sane setup, the >> uncompleted fragments will be dropped silently by a filter table rule >> and no ICMP error message will be sent back. > > AFAIK, in the IPv4 stack the reassembly takes place before the INPUT > chains (NF_IP_LOCAL_IN hook). Is it different in the IPv6 stack ? Yes, they are different. In IPv4 stack,for an end host, ip_local_deliver() reassemble fragments before LOCAL_IN hook . But in IPv6 stack, ip6_input_finish() handles fragment extension headers and try to reassemble them *after* LOCAL_IN hook. -- Best Regards ----- Shan Wei -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
