Jan Engelhardt wrote: > On Thursday 2010-04-01 13:56, Patrick McHardy wrote: >>>>>> just to defragment the packets in conntrack >>>>>> immediately afterwards >> This was supposed to read "one more *de*fragmentation pass. In >> IPv6 we don't have to refragment, but simply output the original >> fragments. >> >>> Assuming [nf-packet-flow.png] as a base, there are two >>> spots in which conntrack/defrag happens: PREROUTING and OUTPUT. >>> [...] >>> We never see fragments in the ruleset >>> >>> a) for netif_rx received packets, defrag will be run early >>> (yes, there's raw, but that's special anyway) >>> >>> b) locally-generated packets are fragmented only after all of >>> Netfilter is done. >> You're assuming conntrack is used. > > That was what your original message was about, was it not? Partially, but the ruleset construction point you replied to of course only applies when conntrack is not used. > If there is no nf_defrag loaded, there is not much left besides > the standard IPv4 stack defrag on input, the fragmentation > on output, and the double-fragmentation on forward. > > What did I miss? Now I seem to be missing something. Why are we suddenly talking about IPv4 and nf_defrag? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
