>> In that case, what happens to packets for which conntracking was
>> disabled (NOTRACK in raw)? Are they also de-fragment or not?
>
> Good question. I have no answer. This requires some code reading or a
> bit of testing.
for IPV4 .
if we have NAT enabled , packets should be defragmented at PREROUTING
chain to map to correct destination { ip + port }
if dont have NAT also , defaragmented packets doesnt have information
about ports , i think it should be defragmented . I dont know about
HOOK in which it happens .
Thanks,
Ratheesh
On Wed, Mar 3, 2010 at 10:27 PM, Pascal Hambourg
<pascal.mail@xxxxxxxxxxxxxxx> wrote:
> Hello,
>
> Christoph Anton Mitterer a écrit :
>>
>> 1) If I disable conntracking for packets using NOTRACK in raw what
>> happens if I e.g. match the state later in filter? Does the rule
>> simply not match for such packets or is it INVALID?
>
> Packets processed with the NOTRACK target have the UNTRACKED state.
>
>> 2) The addrtype module provides several address types. Where can I
>> find which addreses are _exactly_ matched by a given type for a given
>> protocol (especially IP4/6).
>> I'm especiylly (but not only) interested in what LOCAL actually means?
>> Is it all addresses of a hosts network interfaces PLUS the ALL
>> addresses on that networks (like a "localnets")?
>> Or is it all the addresses which the kernel thinks the host has itself, e.g.
>
> The latter, I guess.
>
>> 3) --fragment
>> a) It's quite clear what happens if one uses "-f" or "! -f" but what
>> happens if neither of the tow is give? Does it mean "! -f" or is it
>> like "match not fragmented packets AND fragmented packets (both the
>> first AND further fragments).
>
> The latter, obviously. All packets are matched regardless of fragmentation.
>
>> b) Is it true, that when conntracking is used, that packets are
>> automatically defragmented so one doesn't have to care on fragments at
>> all?
>
> For IPv4, indeed when conntrack is enabled incoming fragmented datagrams
> are reassembled before the PREROUTING chains. Note that packets which
> are to be delivered locally are reassembled by the stack (not by
> conntrack) before the INPUT chains anyway, so you never see fragments in
> INPUT chains.
>
> AFAIK things work a bit differently for IPv6 : fragmented datagrams are
> "virtually" reassembled for conntrack (the reason being that an IPv6
> router does not handle fragmentation/reassembly), but continue to exist
> as fragments through the ip6tables chains and the IPv6 stack.
>
>> In that case, what happens to packets for which conntracking was
>> disabled (NOTRACK in raw)? Are they also defragmented or not?
>
> Good question. I have no answer. This requires some code reading or a
> bit of testing.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
