On Thursday 2010-04-01 13:56, Patrick McHardy wrote: > >>>>> just to defragment the packets in conntrack >>>>> immediately afterwards > >This was supposed to read "one more *de*fragmentation pass. In >IPv6 we don't have to refragment, but simply output the original >fragments. > >> Assuming [nf-packet-flow.png] as a base, there are two >> spots in which conntrack/defrag happens: PREROUTING and OUTPUT. >> [...] >> We never see fragments in the ruleset >> >> a) for netif_rx received packets, defrag will be run early >> (yes, there's raw, but that's special anyway) >> >> b) locally-generated packets are fragmented only after all of >> Netfilter is done. > >You're assuming conntrack is used. That was what your original message was about, was it not? If there is no nf_defrag loaded, there is not much left besides the standard IPv4 stack defrag on input, the fragmentation on output, and the double-fragmentation on forward. What did I miss? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
