From: Patrick McHardy <kaber@trash.net>
To: Hans Schillstrom <hans@schillstrom.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
jengelh@medozas.de, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org, hans.schillstrom@ericsson.com
Subject: Re: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark
Date: Wed, 30 Nov 2011 16:27:26 +0100 [thread overview]
Message-ID: <4ED64B5E.2030705@trash.net> (raw)
In-Reply-To: <hr62jai.42522fc2b4c8846204d05566f5c6b926@obelix.schillstrom.com>
On 11/28/2011 10:36 AM, Hans Schillstrom wrote:
>> If you don't want to use conntrack in your setup and you want to handle
>> fragments, then you have to configure HMARK to calculate the hashing
>> based on the network addresses. If you want to fully support fragments,
>> then enable conntrack and you can configure HMARK to calculate the
>> hashing based on network address + transport bits.
>>
>> Fix this by removing the fragmentation handling, then assume that
>> people can select between two hashing configuration for HMARK. One
>> based for network address which is fragment-safe, one that uses the
>> transport layer information, that requires conntrack. Otherwise, I
>> don't see a sane way to handle this situation.
> Correct me if I'm wrong here,
> If conntrack is enabled hmark don't see the packet until it is reassembled and
> in that case the fragmentation header is removed.
>
> So, with conntrack HMARK will operate on full packets not fragments
> without conntrack ports will not be used on any fragment
Correct.
You don't necessarily need conntrack for defragmentation though,
we've moved defragmentation to a seperate module for TPROXY. You
can depend on that and get defragmentation without full
connection tracking.
next prev parent reply other threads:[~2011-11-30 15:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-28 9:36 Re[2]: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
2011-11-30 15:27 ` Patrick McHardy [this message]
2011-11-30 18:28 ` Pablo Neira Ayuso
2011-12-01 0:52 ` Hans Schillstrom
-- strict thread matches above, loose matches on Subject: below --
2011-12-01 11:39 Re[2]: " Hans Schillstrom
2011-12-01 11:46 ` Patrick McHardy
2011-12-01 11:05 Re[2]: " Hans Schillstrom
2011-12-01 11:24 ` Patrick McHardy
2011-11-25 9:36 [v4 PATCH 0/2] NETFILTER new target module, HMARK Hans Schillstrom
2011-11-25 9:36 ` [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
2011-11-25 14:19 ` David Laight
2011-11-25 14:36 ` Eric Dumazet
2011-11-25 14:43 ` Eric Dumazet
2011-11-25 17:36 ` Pablo Neira Ayuso
2011-11-25 18:31 ` Jan Engelhardt
2011-11-30 15:51 ` Patrick McHardy
2011-12-01 0:25 ` Hans Schillstrom
2011-12-01 10:05 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ED64B5E.2030705@trash.net \
--to=kaber@trash.net \
--cc=hans.schillstrom@ericsson.com \
--cc=hans@schillstrom.com \
--cc=jengelh@medozas.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.