From: Hans Schillstrom <hans.schillstrom@ericsson.com>
To: Patrick McHardy <kaber@trash.net>
Cc: Hans Schillstrom <hans@schillstrom.com>,
"pablo@netfilter.org" <pablo@netfilter.org>,
"jengelh@medozas.de" <jengelh@medozas.de>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: IPv6 defrag question ?
Date: Thu, 8 Dec 2011 14:29:17 +0100 [thread overview]
Message-ID: <201112081429.18441.hans.schillstrom@ericsson.com> (raw)
In-Reply-To: <4EE09B39.5070401@trash.net>
On Thursday 08 December 2011 12:10:49 Patrick McHardy wrote:
> On 12/08/2011 10:12 AM, Hans Schillstrom wrote:
> > Hi
> > While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ?
> >
> > From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400
> > and HMARK in PREROUTING with prio -150
> >
> > I was expecting that the reasaembled packet whould reach HMARK not the fragments.
> >
> > (Debug print from hmark)
> > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:30 plen:1408 (2008::10 - 1000::1)
> > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:0 plen:86 (2008::10 - 1000::1)
> >
> > IPv4 do reassm. the packets not IPv6...
>
> Yeah, IPv6 currently only passes the defragmented packet through conntrack,
> then associates the conntrack information with the individual fragments and
> passes those on. I'll post patches for IPv6 NAT which will change this
> to behave similar to IPv4 soon.
>
OK great, current beaiviour was kind of unexpected.
BTW this piece of code looks like it's broken
or I might have missunderstod this :-)
at least /* queued */ causes some confusion .
static unsigned int ipv6_defrag(unsigned int hooknum,
...
reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb));
/* queued */
if (reasm == NULL)
return NF_STOLEN;
NF_STOLEN will only be returned when nf_ct_frag6_reasm() returns an error.
(called by ct_frag6_gather)
--
Regards
Hans Schillstrom <hans.schillstrom@ericsson.com>
next prev parent reply other threads:[~2011-12-08 13:29 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-01 11:05 Re[2]: [v4 PATCH 1/2] NETFILTER module xt_hmark, new target for HASH based fwmark Hans Schillstrom
2011-12-01 11:24 ` Patrick McHardy
2011-12-08 9:12 ` IPv6 defrag question ? Hans Schillstrom
2011-12-08 11:10 ` Patrick McHardy
2011-12-08 13:29 ` Hans Schillstrom [this message]
2011-12-08 13:44 ` IPv4/IPv6 nf_defrag on/off ? Hans Schillstrom
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201112081429.18441.hans.schillstrom@ericsson.com \
--to=hans.schillstrom@ericsson.com \
--cc=hans@schillstrom.com \
--cc=jengelh@medozas.de \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).