On 04/27/2011 07:22 AM, Jan Engelhardt wrote:
On Wednesday 2011-04-27 12:43, Ulrich Weber wrote:
Each fragmented IPv6 packets will traverse netfilter separately,
in contrast to IPv4, where its only one refragmented packet.
Not really. All fragments enter nf_hook_slow, be it IPv4 or IPv6.
It's just that nf_defrag - which is a netfilter module - collects and
suppresses fragments before spitting out the unfragmented one.
"ip6tables -A INPUT -j ACCEPT -p udp --dport 53" will only match the
first fragment, where the UDP header can be found. To match the
additional fragments, you have to insert these rules:
ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
That will load nf_conntrack_ipv6, and because conntrack depends on
nf_defrag_ipv6, will load that too. Once it is loaded, packets should
be defragmented independetly of whether you actually use -m conntrack
(or the obsolete -m state) or not.
Jan,
are you saying we should be using -m conntrack now instead of -m state
and that -m state is going away?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
