Hello,
Luca Bedogni a écrit :
So i think that if you pass a packet to POSTROUTING taht exceeds MTU,
netfilter will try to send it anyway right? Because you have to fragment
before, 'cos netfilter doesn't expect a packet exceeding MTU right?
But that fragmentation how could be done?
Netfilter does not send packets : it just drops them, mangles them or
lets them through.
Disclaimer : I observed the following in the 2.4.18 kernel and cannot
assert whether it is still true for 2.6 kernels with ip_conntrack or
nf_conntrack or even for recent 2.4 kernels.
If needed (packet size > output path MTU), the IP stacks fragments :
- locally generated packets before the NF_IP_LOCAL_OUT Netfilter hook
(where the iptables OUTPUT chains are located) ;
- forwarded packets after the NF_IP_FORWARD Netfilter hook (where the
iptables FORWARD chains are located).
BUT, when the ip_conntrack module is loaded (or built-in), which is
needed for connection tracking and stateful NAT operation, it can
perform an extra fragmentation in the NF_IP_POST_ROUTING Netfilter hook
after the POSTROUTING iptables chains. The reason is ip_conntrack needs
to reassemble packets first in the NF_IP_LOCAL_OUT Netfilter hook before
the OUTPUT iptables chains.
You can see all this (and more) in the following diagram :
http://www.plouf.fr.eu.org/bazar/netfilter/schema_netfilter.txt
So, if you generate a packet of the maximum size for an interface, use
advanced routing to reroute it to another interface with a smaller MTU
and ip_conntrack is not present, the packet will not be fragmented. It
will just be forwarded to the network device driver "as is".
