Re: [PATCH] IPv6:Send an ICMPv6 "Fragment Reassembly Timeout" message when enabling connection track

[Patrick McHardy <kaber@trash.net>]

Shan Wei wrote:
> Patrick McHardy wrote, at 02/04/2010 12:42 AM:
>> Shan Wei wrote:
>>> @@ -349,17 +378,20 @@ static int nf_ct_frag6_queue(struct nf_ct_frag6_queue *fq, struct sk_buff *skb,
>>>  	else
>>>  		fq->q.fragments = skb;
>>>  
>>> -	skb->dev = NULL;
>>>  	fq->q.stamp = skb->tstamp;
>>>  	fq->q.meat += skb->len;
>>>  	atomic_add(skb->truesize, &nf_init_frags.mem);
>>>  
>>>  	/* The first fragment.
>>>  	 * nhoffset is obtained from the first fragment, of course.
>>> +	 * Reserve dev for sending an ICMP "Fragment Reassembly Timeout"
>>> +	 * message.
>>>  	 */
>>>  	if (offset == 0) {
>>>  		fq->nhoffset = nhoff;
>>>  		fq->q.last_in |= INET_FRAG_FIRST_IN;
>>> +	} else {
>>> +		skb->dev = NULL;
>>>  	}
>> We need to store the iif and perform a lookup later just as in IPv4
>> because the device is not reference counted and might disappear while
>> the fragments are queued.
> 
> There is no net namespace in nf_conntrack_reasm,
> So we can't look up net device according to stored iif.
> 
> How about introducing net namespace to nf_conntrack_reasm?
> There are the following two advantages:
> 1. nf_init_frags can be deleted, because net structure includes netns_frags structure member.
> 
> 2. Record counter value, e.g. IPSTATS_MIB_REASMFAILS if reassamble with fail.
>    Since IPv6 conntrack fails to reassamble fragments, then the original fragment is not forwarded to IPv6 stack. 
>    The counter value can't be recorded. But IPv4 conntrack uses IPv4 defrag code, and records
>    counter value correctly.
> 
> These are just my thoughts, no practice.

Sounds good to me.