YOSHIFUJI Hideaki wrote: > Hello. > > (2010/03/31 19:31), Jan Engelhardt wrote: >> Patrick McHardy notes: "We used to invoke IPv4 POST_ROUTING after >> fragmentation as well just to defragment the packets in conntrack >> immediately afterwards, but that got changed during the >> netfilter-ipsec integration. Ideally IPv6 would behave like IPv4." >> >> This patch makes it so. Sending an oversized frame (e.g. `ping6 >> -s64000 -c1 ::1`) will now show up in POSTROUTING as a single skb >> rather than multiple ones. > > I am not in favor doing this > because we theoretically make fragments __before__ routing > in output path (as we reassemble __after__ routing in input path). That's true, but is symetry for fragment handling really something worth keeping? Besides avoiding one refragmentation pass in conntrack, its a lot easier to construct your ruleset when you don't have to take care of fragments. Granted, in IPv4 the main motivation for this change was to reduce stack usage by not using the "okfn" anymore, which isn't too important on the output path, and we don't fragment forwarded packets in IPv6. > IMHO, FORWARDING and POSTROUTING share similar semantics > from routing POV. > As we see "fragments" in FORWARDING, we should see > fragments in POST_ROUTING, at least in IPv6. We'd still see them for forwarded packets. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
