Each fragmented IPv6 packets will traverse netfilter separately, in contrast to IPv4, where its only one refragmented packet. "ip6tables -A INPUT -j ACCEPT -p udp --dport 53" will only match the first fragment, where the UDP header can be found. To match the additional fragments, you have to insert these rules: ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Cheers Ulrich On 04/27/2011 12:08 PM, Jan Engelhardt wrote: > On Wednesday 2011-04-27 10:57, Leo Baltus wrote: > >> Hi, >> >> When doing recusive dns queries to dnssec-enbled servers it looks like >> ip6tables does not assemble udp packets before filtering takes place. >> This results in fragments being dropped. > > You need to have nf_defrag_ipv6 loaded for automatic defragmentation. > There are only a few components that depend on it - nf_conntrack and > TPROXY, so it may not be autoloaded if you do not use either. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
