Wed, Oct 30, 2013 at 03:44:00PM CET, fw@xxxxxxxxx wrote: >Jiri Pirko <jiri@xxxxxxxxxxx> wrote: >> >This is a bit backwards, I think. >> >- We gather frags >> >- Then we invoke ip6t_do_table for each individual fragment >> > >> >So basically your patch is equivalent to >> >for_each_frag( ) >> > ip6t_do_table(reassembled_skb) >> > >> >Which makes no sense to me - why traverse the ruleset n times with the same >> >packet? >> >> Because each fragment need to be pushed through separately. > >Why? AFAIU we only need to ensure that (in forwarding case) we >send out the original fragments instead of the reassembled packet. I don't knot why, that's the way it is done now. From the top of my head I can't think of any scenario why it would hurt to push the reassebled packet instead (and of course send out original fragments at the end of the way for forwarding) > >> What different approach would you suggest? > >I am sure that current behaviour is intentional, so I'd first like to >understand WHY this was implemented this way. > >Also, this would change very long standing behaviour so one might argue that >this is a no-go anyway. Can you think aof any sane use case this change could possible break? > >What is the exact problem that this is supposed to solve? Look at the patch description. There's an example. The problem is that fragments are not correctly matched. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html