On Thursday 2010-04-01 13:17, Patrick McHardy wrote: >YOSHIFUJI Hideaki wrote: >> Hello. >> >> (2010/03/31 19:31), Jan Engelhardt wrote: >>> Patrick McHardy notes: "We used to invoke IPv4 POST_ROUTING after >>> fragmentation as well just to defragment the packets in conntrack >>> immediately afterwards, but that got changed during the >>> netfilter-ipsec integration. Ideally IPv6 would behave like IPv4." >>> >>> This patch makes it so. Sending an oversized frame (e.g. `ping6 >>> -s64000 -c1 ::1`) will now show up in POSTROUTING as a single skb >>> rather than multiple ones. >> >> I am not in favor doing this >> because we theoretically make fragments __before__ routing >> in output path (as we reassemble __after__ routing in input path). > >That's true, but is symetry for fragment handling really something >worth keeping? Besides avoiding one refragmentation pass in conntrack, >its a lot easier to construct your ruleset when you don't have to >take care of fragments. [...] So, drop the patch or not? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
