Re: [PATCH 1/1] netfilter: Add possibility to turn off netfilters defrag per netns

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Hans Schillstrom <hans.schillstrom@ericsson.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Patrick McHardy <kaber@trash.net>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	"jengelh@medozas.de" <jengelh@medozas.de>,
	"netfilter-devel@vger.kernel.org"
	<netfilter-devel@vger.kernel.org>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"hans@schillstrom.com" <hans@schillstrom.com>
Subject: Re: [PATCH 1/1] netfilter: Add possibility to turn off netfilters defrag per netns
Date: Wed, 4 Jan 2012 11:18:17 +0100	[thread overview]
Message-ID: <201201041118.18552.hans.schillstrom@ericsson.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1201041000150.925@blackhole.kfki.hu>

On Wednesday 04 January 2012 10:03:49 Jozsef Kadlecsik wrote:
> On Wed, 4 Jan 2012, Hans Schillstrom wrote:
> 
> > On Wednesday 04 January 2012 09:28:05 Jozsef Kadlecsik wrote:
> > > 
> > > On Wed, 4 Jan 2012, Hans Schillstrom wrote:
> > > 
> > > > In some cases it not desirable to have auto defrag.
> > > > Ex. in a cluster where packets can arrive on different blades.
> > > > In that case it is possible to use containers (LXC) and send
> > > > all fragments to one place where defrag is enabled.
> > > > 
> > > > This patch makes it possible to turn off the defrag per network name space,
> > > > by setting net.netfilter.nf_conntrack_nodefrag to 1.
> > > > Both IPv4 and IPv6 is effected by this sysctl.
> > > > Default is 0 which is defrag.
> > > 
> > > Conntrack assumes that the packets are defragmented and will drop any 
> > > unfragmented one. So your patch results packet drops.
> > 
> > Hmmm, more work...
> > > 
> > > Also, if you want to disable defragmentation then why don't you simply 
> > > "mark" the packets with the NOTRACK target?
> > 
> > I don't think that will work since NF_IP_PRI_CONNTRACK_DEFRAG is -400
> 
> Then change NF_IP_PRI_RAW so that it precedes NF_IP_PRI_CONNTRACK_DEFRAG. 
> The raw table should be made possible to completely override conntack and 
> defrag is implicit part of the latter.
> 

An other idea, turn off both conntrack and defrag
i.e. do like NOTRAC and rename the flag  ?

Quick example for IPv4:
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -74,6 +74,14 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
...
+	const struct net_device *dev = (hooknum == NF_INET_LOCAL_OUT ?
+					out : in);
+
+	/* No defrag and not Previously seen (loopback)? */
+	if (dev_net(dev)->ct.sysctl_notrac_defrag && skb->nfct) {
+		/* Attach fake conntrack entry. as in NOTRACK */
+		skb->nfct = &nf_ct_untracked_get()->ct_general;
+		skb->nfctinfo = IP_CT_NEW;
+		nf_conntrack_get(skb->nfct);
+		return NF_ACCEPT;
+	}
...

-- 
Regards
Hans Schillstrom <hans.schillstrom@ericsson.com>

next prev parent reply	other threads:[~2012-01-04 10:18 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-04  8:07 [PATCH 1/1] netfilter: Add possibility to turn off netfilters defrag per netns Hans Schillstrom
2012-01-04  8:28 ` Jozsef Kadlecsik
2012-01-04  8:49   ` Hans Schillstrom
2012-01-04  9:03     ` Jozsef Kadlecsik
2012-01-04  9:32       ` Jan Engelhardt
2012-01-04  9:47         ` Hans Schillstrom
2012-01-04 17:23           ` Pablo Neira Ayuso
2012-01-04  9:49         ` Jozsef Kadlecsik
2012-01-04 10:18       ` Hans Schillstrom [this message]
2012-01-04 11:17         ` Jan Engelhardt
2012-01-04 11:48           ` Hans Schillstrom
2012-01-04 17:40             ` Pablo Neira Ayuso
2012-01-04 18:05               ` Jozsef Kadlecsik
2012-01-04 20:56                 ` Hans Schillstrom
2012-01-04 21:40                   ` Jozsef Kadlecsik
2012-01-05  7:19                     ` Hans Schillstrom
2012-01-05  9:11                       ` Jozsef Kadlecsik
2012-01-05 14:18                         ` Pablo Neira Ayuso
2012-01-09  8:58                           ` Hans Schillstrom
2012-01-10  3:17                             ` Pablo Neira Ayuso
2012-01-04 20:45               ` Hans Schillstrom
2012-01-04 21:15               ` Hans Schillstrom

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=201201041118.18552.hans.schillstrom@ericsson.com \
    --to=hans.schillstrom@ericsson.com \
    --cc=hans@schillstrom.com \
    --cc=jengelh@medozas.de \
    --cc=kaber@trash.net \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.