Op 27/04/2011 om 13:41:39 +0200, schreef Leo Baltus: > Op 27/04/2011 om 13:22:57 +0200, schreef Jan Engelhardt: > > On Wednesday 2011-04-27 12:43, Ulrich Weber wrote: > > > > >Each fragmented IPv6 packets will traverse netfilter separately, > > >in contrast to IPv4, where its only one refragmented packet. > > > > Not really. All fragments enter nf_hook_slow, be it IPv4 or IPv6. > > It's just that nf_defrag - which is a netfilter module - collects and > > suppresses fragments before spitting out the unfragmented one. > > > > >"ip6tables -A INPUT -j ACCEPT -p udp --dport 53" will only match the > > >first fragment, where the UDP header can be found. To match the > > >additional fragments, you have to insert these rules: > > > > > >ip6tables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > >ip6tables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > That will load nf_conntrack_ipv6, and because conntrack depends on > > nf_defrag_ipv6, will load that too. Once it is loaded, packets should > > be defragmented independetly of whether you actually use -m conntrack > > (or the obsolete -m state) or not. > > my /proc/config.gs says: > CONFIG_NF_CONNTRACK_IPV6=y > so it is already loaded > > But is does not defrag. > So is this a bug? Given the state ip6tables is now in the only way to make defrag work is to set '--state RELATED,ESTABLISHED'. As I understand it, this should not be the case, right? > Also I am a bit worried about using conntrack because of the high > volume dns queries tend to be which would generate a very large > connectiontracking table and/or system load. > I am not sure if this is true or not for fragments, but for heavy tcp traffic (http) we use raw/NOTRACK to avoid conntrack, how would that work with ip6tables considering heavy fragmented (http or dns) traffic? -- Leo Baltus, internetbeheerder /\ NPO ICT Internet Services /NPO/\ Sumatralaan 45, 1217 GP Hilversum, Filmcentrum, west \ /\/ beheer@xxxxxxxxx, 035-6773555 \/ -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
