On Thu, Jun 02, 2016 at 06:57:58PM +0200, Laura Garcia Liebana wrote:
> Add translation for frag to nftables. Not supported yet in nft: fraglen,
> fragfirst and fraglast.
You can provide translations for fragfirst and fraglast.
'--fragfirst' is actually frag-off 0.
and '--fraglast' is more-fragments 1.
Note that because there is no 1:1 mapping, it doesn't mean you can
translate things.
And regarding --fraglen, if you look at
iptables/extensions/libip6t_frag.c, you'll see:
case O_FRAGLEN:
/*
* As of Linux 3.0, the kernel does not check for
* fraglen at all.
*/
if (cb->invert)
fraginfo->invflags |= IP6T_FRAG_INV_LEN;
fraginfo->flags |= IP6T_FRAG_LEN;
break;
Then, browsing:
http://lxr.free-electrons.com/source/net/ipv6/netfilter/ip6t_frag.c
shows no references to IP6T_FRAG_LEN in the kernel, so this confirms
this option was already deprecated time ago and the comment in the
iptables source code is correct.
Please, respin and send a v2 including this useful information on the
commit message so we keep this in the record.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
