On Wed, 4 Jan 2012, Pablo Neira Ayuso wrote: > On Wed, Jan 04, 2012 at 12:48:35PM +0100, Hans Schillstrom wrote: > > I like that idea, an "early" table at prio -500 with PREROUTING. > > There is also a need for a new flag "--allfrags" > > i.e. all fragments needs to be sorted out and sent to same dest for defrag. > > > > ex. > > iptables -t early -A PREROUTING -i eth0 --allfrags -j NOTRACK > > New tables add too much overhead. We have discussed this before with > Patrick. > > Since this still remains specific to your needs, I think you can > remove nf_conntrack module in your setup. > > I don't come with one sane setup that may want selectively defragment > some traffic yes and other not. > > Am I missing anything else? I agree. If you don't want defragmentation at all, then make sure you don't load the nf_conntrack module directly/indirectly. Conntrack doesn't work without defragmentation anyway. The only thing what such a really-early table could buy at the moment is to specify which flows not to defragment at layer 3 level. If we had dynamic hooks registration and hook priorities at table level, that'd come handy now. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
