From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
To: Patrick McHardy <kaber@trash.net>
Cc: Shan Wei <shanwei@cn.fujitsu.com>,
YOSHIFUJI Hideaki <hideaki.yoshifuji@gmail.com>,
David Miller <davem@davemloft.net>,
Alexey Dobriyan <adobriyan@gmail.com>,
Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
netfilter-devel@vger.kernel.org,
YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Subject: Re: [RFC PATCH net-next 0/7 v2]IPv6:netfilter: defragment
Date: Wed, 24 Mar 2010 03:58:58 +0900 [thread overview]
Message-ID: <4BA90F72.6010404@linux-ipv6.org> (raw)
In-Reply-To: <4BA8F75E.2040303@trash.net>
Hello.
(2010/03/24 2:16), Patrick McHardy wrote:
> YOSHIFUJI Hideaki wrote:
>> Hello.
>>
>> Sorry for my slow response.
>>
>> (2010/03/16 1:27), Patrick McHardy wrote:
>>> YOSHIFUJI Hideaki wrote:
>>>> (2010/03/11 18:16), Shan Wei wrote:
>>>>>> On the other hand, I'd even say we should NOT send
>>>>>> icmp here (at least by default) because standard routers
>>>>>> never send such packet.
>>>>>
>>>>> Yes,for routers, the patch-set does not send icmp message to
>>>>> source host. It only does on destination host with IPv6 connection
>>>>> track enable.
>>>>
>>>> Please make it optional (via parameter) at least.
>>>
>>> The ICMP messages are only sent if the packet is destined for the
>>> local host, similar to what IPv6 defrag would do if conntrack wouldn't
>>> be used. So this patch increases consistency, why should we make this
>>> optional?
>>
>> Well, in the first place, I do think conntrack should be
>> transparent as much as possible. And, I cannot find other
>> netfilter conntrack code (ipv4 or ipv6) sending icmp e.g.
>> parameter problem etc.
>
> Agreed on the transparent part, however I consider silently dropping
> packets not transparent. In fact conntrack itself should never drop
> packets except under some very special circumstances when there's
> no other choice in order to operate correctly. Dropping packets is
> supposed to be a policy decision made by the user.
Definitely right.
> In this case without conntrack, IPv6 would send an ICMPv6 message,
> so in my opinion the transparent thing to do would be to still send
> them. Of course only if reassembly is done on an end host.
Well, no. conntrack should just forward even uncompleted fragments
to next process (e.g. core ipv6 code), and then the core would send
ICMP error back. ICMP should be sent by the core ipv6 code according
to decision of itself, not according to netfilter.
> There's really no difference in sending these packets from conntrack
> compared to passing the incomplete fragments upwards to IPv6 and
> waiting for another timeout, except that its easier to implement
> consistently by generating the packets within conntrack.
It should never be sent by the decision of the netfilter because
the semantics and code paths are different in two cases.
>> As I said before, I agree that netfilter may drop packets
>> by any reasons, but I do think it should be done silently.
>> It can increment netfilter's own statistic counting etc.
>> but it should not increment the core's (especially,
>> specific) statistic counting.
>
> It really depends on what you define as "transparent".
I mean, netfilter conntrack should not either drop or modify any
packets, and it should not generate any additional packets.
>> Reassembling processes are the same. We should NOT send icmp, and
>> if ever desired, we might optionally send icmp (in other
>> module maybe).
>
> Please see above for my reasoning. There's also the matter of consistency
> between IPv4 and IPv6 conntrack.
Would you please explain more about what you mean by consistency
between IPv4 and IPv6 conntrack?
I do think it is rather different, anyway (because original packets
is to be preserved in IPv6, but not in IPv4).
--yoshfuji
next prev parent reply other threads:[~2010-03-23 18:58 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-27 6:39 [RFC PATCH net-next 0/7 v2]IPv6:netfilter: defragment Shan Wei
2010-03-10 17:13 ` YOSHIFUJI Hideaki
2010-03-11 9:16 ` Shan Wei
2010-03-13 13:47 ` YOSHIFUJI Hideaki
2010-03-15 16:27 ` Patrick McHardy
2010-03-23 16:28 ` YOSHIFUJI Hideaki
2010-03-23 17:16 ` Patrick McHardy
2010-03-23 18:58 ` YOSHIFUJI Hideaki [this message]
2010-03-23 20:10 ` Jozsef Kadlecsik
2010-03-25 4:20 ` YOSHIFUJI Hideaki
2010-03-25 9:23 ` Jozsef Kadlecsik
2010-03-25 14:14 ` YOSHIFUJI Hideaki
2010-03-25 10:25 ` Patrick McHardy
2010-03-25 8:38 ` Pascal Hambourg
2010-03-25 9:13 ` Shan Wei
2010-03-25 10:07 ` Jozsef Kadlecsik
2010-03-25 10:20 ` Patrick McHardy
2010-03-25 2:22 ` Shan Wei
2010-03-23 15:05 ` Patrick McHardy
2010-03-25 2:28 ` Shan Wei
2010-03-25 4:19 ` YOSHIFUJI Hideaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4BA90F72.6010404@linux-ipv6.org \
--to=yoshfuji@linux-ipv6.org \
--cc=adobriyan@gmail.com \
--cc=davem@davemloft.net \
--cc=hideaki.yoshifuji@gmail.com \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=shanwei@cn.fujitsu.com \
--cc=yasuyuki.kozakai@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).