Op 27/04/2011 om 12:43:19 +0200, schreef Ulrich Weber: > Each fragmented IPv6 packets will traverse netfilter separately, > in contrast to IPv4, where its only one refragmented packet. > I seem to have missed that. > "ip6tables -A INPUT -j ACCEPT -p udp --dport 53" will only match the > first fragment, where the UDP header can be found. To match the > additional fragments, you have to insert these rules: > > ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > ip6tables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > Thanks. That was it. > On 04/27/2011 12:08 PM, Jan Engelhardt wrote: > > On Wednesday 2011-04-27 10:57, Leo Baltus wrote: > > > >> Hi, > >> > >> When doing recusive dns queries to dnssec-enbled servers it looks like > >> ip6tables does not assemble udp packets before filtering takes place. > >> This results in fragments being dropped. > > > > You need to have nf_defrag_ipv6 loaded for automatic defragmentation. > > There are only a few components that depend on it - nf_conntrack and > > TPROXY, so it may not be autoloaded if you do not use either. > > -- > > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Leo Baltus, internetbeheerder /\ NPO ICT Internet Services /NPO/\ Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \ /\/ beheer@xxxxxxxxx, 035-6773555 \/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
