Jiri Pirko <jiri@xxxxxxxxxxx> wrote: > On the current net-next if you on HOSTA do: > ip6tables -I INPUT -p icmpv6 -j DROP > ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT > > and on HOSTB you do: > ping6 HOSTA -s2000 (MTU is 1500) > > Only the first ICMP echo request will be passed through, the rest is not > passed on HOSTA. This issue does not occur with smaller packets than MTU (where > fragmentation does not happen). > > I'm trying to find out where the problem is. Are you sure this is new behaviour? As far back as I can remember it was always like this. in ip6tables, the individual fragments are sent through the ruleset, iow. you'll need to make use of '-m conntrack' to match the fragments belonging to an existing connection. I don't know why this is, and I don't like this either. But this is how it was implemented, see net/ipv6/netfilter/nf_defrag_ipv6_hooks.c, ipv6_defrag() -> nf_ct_frag6_output() -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
