Jan Engelhardt wrote: > On Thursday 2010-04-01 13:17, Patrick McHardy wrote: >>> (2010/03/31 19:31), Jan Engelhardt wrote: >>>> Patrick McHardy notes: "We used to invoke IPv4 POST_ROUTING after >>>> fragmentation as well just to defragment the packets in conntrack >>>> immediately afterwards, but that got changed during the >>>> netfilter-ipsec integration. Ideally IPv6 would behave like IPv4." >>>> >>>> This patch makes it so. Sending an oversized frame (e.g. `ping6 >>>> -s64000 -c1 ::1`) will now show up in POSTROUTING as a single skb >>>> rather than multiple ones. >>> I am not in favor doing this >>> because we theoretically make fragments __before__ routing >>> in output path (as we reassemble __after__ routing in input path). >> That's true, but is symetry for fragment handling really something >> worth keeping? Besides avoiding one refragmentation pass in conntrack, > > I am not quite following where this extra refragmentation is > happening. This was supposed to read "one more *de*fragmentation pass. In IPv6 we don't have to refragment, but simply output the original fragments. > Assuming [nf-packet-flow.png] as a base, there are two > spots in which conntrack/defrag happens: PREROUTING and OUTPUT. > > This translates to: > >> its a lot easier to construct your ruleset when you don't have to >> take care of fragments. > > We never see fragments in the ruleset > > a) for netif_rx received packets, defrag will be run early > (yes, there's raw, but that's special anyway) > > b) locally-generated packets are fragmented only after all of > Netfilter is done. You're assuming conntrack is used. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
