On Sun, May 04, 2014 at 10:06:27PM +0200, Bart De Schuymer wrote: > If I understood Vasily correctly, in his setup ip_defrag is being > called from code that isn't connection tracking. Glancing at the > code, at least IP virtual server and the code that handles the > router attention IP option also call ip_defrag. > > Isn't there an easy way to see that the skb contains a defragmented > IP packet? If there were, then it seems replacing the "skb->nfct != > NULL" by "is_defragmented(skb)" would suffice, no? We didn't find any way that a packet larger than the mtu can hit that code. The (re-)fragmentation only applies to a skb that fulfills skb_has_frag_list(), so no need to restrict it. > I see no reason to artificially restrict defrag/refrag to connection > tracking. After Vasily's patch, fragmentation/defragmentation on a bridge will basically depend on if nf_defrag_ipv4 is loaded or not. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
