> The basic idea is we bump a refcnt on the netfilter defrag module and > then run the bpf prog after the defrag module runs. This allows bpf > progs to transparently see full, reassembled packets. The nice thing > about this is that progs don't have to carry around logic to detect > fragments. One high-level comment after glancing through the series: Instead of allocating a flag specifically for the defrag module, why not support loading (and holding) arbitrary netfilter modules in the UAPI? If we need to allocate a new flag every time someone wants to use a netfilter module along with BPF we'll run out of flags pretty quickly :) -Toke
