Patrick McHardy wrote: > >> - iptables POSTROUTING is invoked before outgoing fragmentation >> (verified using ping -s 65000 localhost, and watching with both >> ipt_LOG and tcpdump.) >> >> - ip6tables POSTROUTING is invoked after outgoing fragmentation > >That's correct. We used to invoke IPv4 POST_ROUTING after fragmentation >as well just to defragment the packets in conntrack immediately >afterwards, but that got changed during the netfilter-ipsec integration. > >Ideally IPv6 would behave like IPv4. Can you elaborate? conntrack runs well before POSTROUTING, so the choice of doing POSTROUTING before or after fragmentation seems to have no effect (other than perhaps xfrm). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
