From: Cong Wang <amwang@redhat.com>
To: Michal Kubecek <mkubecek@suse.cz>
Cc: netdev@vger.kernel.org, Herbert Xu <herbert@gondor.hengli.com.au>,
"David S. Miller" <davem@davemloft.net>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
Shan Wei <shanwei@cn.fujitsu.com>,
Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org
Subject: Re: [RFC Patch net-next] ipv6: unify conntrack reassembly expire code with standard one
Date: Tue, 21 Aug 2012 21:38:58 +0800 [thread overview]
Message-ID: <1345556338.3044.1.camel@cr0> (raw)
In-Reply-To: <20120820202109.GB28790@unicorn.suse.cz>
On Mon, 2012-08-20 at 22:21 +0200, Michal Kubecek wrote:
> On Mon, Aug 20, 2012 at 05:06:39PM +0800, Cong Wang wrote:
> > doesn't work. I think we probably can save the struct net pointer in
> > struct netns_frags during inet_frags_init_net(), so that container_of()
> > can be eliminated.
>
> This would work but one would have to check carefully that the pointer
> is always set to an usable value. Or we could just add a flag indicating
> whether the structure is embedded (and if it is not, use init_net).
> Another approach was suggested in the patchworks discussion: add a
> special namespace for IPv6 conntrack fragment handling.
I think your former solution is easier, I will try it.
>
> > Thanks for testing! I tried to test it too, but seems I can't trigger a
> > defragment. Any hints?
>
> I used netfilter on a computer between source and destination of the
> packets (generated with "ping6 -s 3000"):
>
> ip6tables -A FORWARD -o ... -m frag --fragid 0:0xFFFFFFFF --fraglast -j DROP
>
> The --fragid condition is needed to work around a bug in iptables (if
> frag module is loaded and there is no --fragid, only packets with zero
> fragment id match - patch for this is already in git). On the target,
> packet is defragmented automatically, by default by the "normal" code,
> with nf_conntrack_ipv6 module by the conntrack code.
>
> Setting
>
> echo 5 >/proc/sys/net/ipv6/ip6frag_time
> echo 5 >/proc/sys/net/netfilter/nf_conntrack_frag6_timeout
>
> on target also helps.
>
Great! This helps!
Thanks!
next prev parent reply other threads:[~2012-08-21 13:39 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-17 8:02 [RFC Patch net-next] ipv6: unify conntrack reassembly expire code with standard one Cong Wang
2012-08-17 17:05 ` Michal Kubeček
2012-08-20 9:06 ` Cong Wang
2012-08-20 20:21 ` Michal Kubecek
2012-08-21 13:38 ` Cong Wang [this message]
2012-08-24 10:13 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1345556338.3044.1.camel@cr0 \
--to=amwang@redhat.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.hengli.com.au \
--cc=kaber@trash.net \
--cc=mkubecek@suse.cz \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=shanwei@cn.fujitsu.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.