On Wednesday 2011-04-27 14:54, Stephen Clark wrote: > On 04/27/2011 07:22 AM, Jan Engelhardt wrote: >> On Wednesday 2011-04-27 12:43, Ulrich Weber wrote: >> >> >>> Each fragmented IPv6 packets will traverse netfilter separately, >>> in contrast to IPv4, where its only one refragmented packet. >>> >> Not really. All fragments enter nf_hook_slow, be it IPv4 or IPv6. >> It's just that nf_defrag - which is a netfilter module - collects and >> suppresses fragments before spitting out the unfragmented one. >> >> >>> "ip6tables -A INPUT -j ACCEPT -p udp --dport 53" will only match the >>> first fragment, where the UDP header can be found. To match the >>> additional fragments, you have to insert these rules: >>> >>> ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>> ip6tables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>> >> That will load nf_conntrack_ipv6, and because conntrack depends on >> nf_defrag_ipv6, will load that too. Once it is loaded, packets should >> be defragmented independetly of whether you actually use -m conntrack >> (or the obsolete -m state) or not. >> > Jan, > > are you saying we should be using -m conntrack now instead of -m state and that > -m state is going away? -m state is old, redundant (since at least 2.6.12..), - and as such ignored whenever possible - but others think removing xt_state is too much a message to people.. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
