On Thursday 2010-04-01 14:28, Patrick McHardy wrote: >>> >>>> Assuming [nf-packet-flow.png] as a base, there are two >>>> spots in which conntrack/defrag happens: PREROUTING and OUTPUT. >>>> [...] >>>> We never see fragments in the ruleset >>>> >>>> a) for netif_rx received packets, defrag will be run early >>>> (yes, there's raw, but that's special anyway) >>>> >>>> b) locally-generated packets are fragmented only after all of >>>> Netfilter is done. >>> You're assuming conntrack is used. >> >> That was what your original message was about, was it not? > >Partially, but the ruleset construction point you replied to of >course only applies when conntrack is not used. > >> If there is no nf_defrag loaded, there is not much left besides >> the standard IPv4 stack defrag on input, the fragmentation >> on output, and the double-fragmentation on forward. >> >> What did I miss? > >Now I seem to be missing something. Why are we suddenly talking >about IPv4 and nf_defrag? So when exactly is the problem showing? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
