Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 03, 2017 at 08:28:40PM -0600, Subash Abhinov Kasiviswanathan wrote:
> Add a sysctl nf_ipv4_defrag_skip to skip defragmentation per
> interface. This is set 0 to preserve existing behavior (always
> defrag per interface).
> 
> This is useful for pure ipv4 forwarding scenarios (without NAT)
> in conjunction with xfrm. It appears that network stack defrags
> the packets and then forwards them to xfrm which then encrypts
> and then later fragments them on a different boundary compared
> to the source.

The reassembling happens because of conntrack, right?
In this case, I'd recommend to do it like IPv6 does.
I.e. reassembling the fragments, inspect the reassembled
packet and if OK, send the chain of fragments instead of
the reassembled packet back to the stack.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux