On Thursday 2010-04-01 13:17, Patrick McHardy wrote:
>> (2010/03/31 19:31), Jan Engelhardt wrote:
>>> Patrick McHardy notes: "We used to invoke IPv4 POST_ROUTING after
>>> fragmentation as well just to defragment the packets in conntrack
>>> immediately afterwards, but that got changed during the
>>> netfilter-ipsec integration. Ideally IPv6 would behave like IPv4."
>>>
>>> This patch makes it so. Sending an oversized frame (e.g. `ping6
>>> -s64000 -c1 ::1`) will now show up in POSTROUTING as a single skb
>>> rather than multiple ones.
>>
>> I am not in favor doing this
>> because we theoretically make fragments __before__ routing
>> in output path (as we reassemble __after__ routing in input path).
>
>That's true, but is symetry for fragment handling really something
>worth keeping? Besides avoiding one refragmentation pass in conntrack,
I am not quite following where this extra refragmentation is
happening. Assuming [nf-packet-flow.png] as a base, there are two
spots in which conntrack/defrag happens: PREROUTING and OUTPUT.
This translates to:
>its a lot easier to construct your ruleset when you don't have to
>take care of fragments.
We never see fragments in the ruleset
a) for netif_rx received packets, defrag will be run early
(yes, there's raw, but that's special anyway)
b) locally-generated packets are fragmented only after all of
Netfilter is done.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
