We can probably skip defrag if explicit notrack is requested via rule.
Hi Pablo
Thanks for the suggestion. I tried this and it appears that defrag
occurs before NOTRACK is hit in raw table in PREROUTING. This is because
the defrag priority happens to be higher than that of RAW.
[include/uapi/linux/netfilter_ipv4.h]
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK_DEFRAG = -400,
NF_IP_PRI_RAW = -300,
NF_IP_PRI_SELINUX_FIRST = -225,
NF_IP_PRI_CONNTRACK = -200,
By changing the ordering of NF_IP_PRI_CONNTRACK_DEFRAG to -210 (some
lower value)
instead of -400 (before CONNTRACK), I was able to skip the defrag when
NOTRACK was
set. Do you think this is a possible solution.
diff --git a/include/uapi/linux/netfilter_ipv4.h
b/include/uapi/linux/netfilter_ipv4.h
index 91ddd1f..13dc767 100644
--- a/include/uapi/linux/netfilter_ipv4.h
+++ b/include/uapi/linux/netfilter_ipv4.h
@@ -56,9 +56,9 @@
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
- NF_IP_PRI_CONNTRACK_DEFRAG = -400,
NF_IP_PRI_RAW = -300,
NF_IP_PRI_SELINUX_FIRST = -225,
+ NF_IP_PRI_CONNTRACK_DEFRAG = -210,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
