From: Patrick McHardy <kaber@trash.net>
To: Harald Welte <laforge@gnumonks.org>
Cc: Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
coreteam@netfilter.org
Subject: Re: [RFC]: ip_conntrack breaks UDP PMTU
Date: Fri, 14 Feb 2003 14:42:16 +0100 [thread overview]
Message-ID: <3E4CF238.2030207@trash.net> (raw)
In-Reply-To: <20030214080612.GN14794@sunbeam.de.gnumonks.org>
Harald Welte wrote:
>From https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=48
>
>
>
>>ip_conntrack defrags packets at PRE_ROUTING and LOCAL_OUT and
>>refragments them at POST_ROUTING without careing about IP_DF. packets
>>with IP_DF|IP_MF can be refragmented with a different size, so path
>>mtu discovery is broken. Linux nfs itself sends out packets with
>>IP_DF|IP_MF.
>>
>>------- Additional Comments From Harald Welte 2003-02-14 09:02 -------
>>
>>This is a really hard issue.
>>
>>The problem is that we _need_ to defragment at NF_IP_PRE_ROUTING in
>>order to have the be able to do connection tracking. So at this point
>>we would need to save the sizes of all individual fragments. This
>>would enable us to re-fragment to exactly the same size at
>>POST_ROUTING.
>>
>>Another obvious approach was to check for IP_DF and see if it is
>>bigger than the MTU of the outgoing interface. The problem is: before
>>we do conntrack at NF_IP_PRE_ROUTING we don't know what potential NAT
>>bindings apply to this connection/packet - and thus don't know the
>>outgoing interface [that's why it's called PRE_ROUTING].
>>
>>And then, what happens if NAT has to resize (enlarge/shrink) a packet.
>>How should we deal with this while re-fragmenting?
>>
>>I think this needs some good discussion at netfilter-devel...
>>
>>
>
>So what are we going to do? Does anybody have an alternative (viable?)
>approach?
>
>And if we go for my first propsal, how/where would we store the
>list-of-fragment-sizes? We certainly don't want it to be dynamically
>allocated... but according to RFC791 there kan be 8192 fragments of 8
>octets each...
>
Usually all fragments except the last one will have equal size, so the
fragment
sizes can be stored as (size, boundary) tuples. I would suggest making
the max.
number of different fragment sizes fixed or controllable via sysctl and
set it to some
low default (like 4). This would reduce the amount of memory per
reassembled packet
to 4 * (2b + 2b) = 16b.
Bye,
Patrick
next prev parent reply other threads:[~2003-02-14 13:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-02-14 8:06 [RFC]: ip_conntrack breaks UDP PMTU Harald Welte
2003-02-14 13:42 ` Patrick McHardy [this message]
2003-02-14 14:55 ` Harald Welte
2003-02-15 5:12 ` Patrick McHardy
2003-02-15 19:34 ` [netfilter-core] " Jozsef Kadlecsik
2003-02-15 17:58 ` Thomas Poehnitzsch
2003-02-15 20:50 ` Patrick McHardy
2003-02-16 23:55 ` Thomas Poehnitzsch
2003-02-17 0:39 ` Patrick McHardy
2003-02-16 19:54 ` Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E4CF238.2030207@trash.net \
--to=kaber@trash.net \
--cc=coreteam@netfilter.org \
--cc=laforge@gnumonks.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.