A general question about IP fragmented packets and netfilter

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Giacomo <delleceste@gmail.com>
To: netfilter-devel <netfilter-devel@vger.kernel.org>
Subject: A general question about IP fragmented packets and netfilter
Date: Thu, 23 Jul 2009 08:40:07 +0200	[thread overview]
Message-ID: <885896af0907222340m77ef2d6p9767421a608cfdee@mail.gmail.com> (raw)

Good morning to all.

I would like to ask you some points concerning IP fragmented packets
arriving on an interface and the
way they are handled by the netfilter modules, in particular what is
the situation in the netfilter hooks.

Starting from NF_IP_PRE_ROUTING, where destination NAT and
de-masquerading takes place, do
the packets arrive fragmented - and netfilter takes care of the
fragments - or do they arrive already
reassembled from the IP stack?

In the first case, what is, generally speaking, the technique adopted
to track fragmented IP packets
and assign each of them to the correct flow?

In the second case, if I register with netfilter NF_IP_PRE_ROUTING
hook, which is the correct "priority"
to assign during registration to receive packets already reassembled?

Thanks in advance.

Giacomo

-- 
Giacomo S.
http://www.giacomos.it

- - - - - - - - - - - - - - - - - - - - - -

* Aprile 2008: iqfire-wall, un progetto
  open source che implementa un
  filtro di pacchetti di rete per Linux,
  e` disponibile per il download qui:
  http://sourceforge.net/projects/ipfire-wall

* Informazioni e pagina web ufficiale:
  http://www.giacomos.it/iqfire/index.html

- - - - - - - - - - - - - - - - - - - - - -

 . ''  `.
:   :'    :
 `.  ` '
    `- Debian GNU/Linux -- The power of freedom
        http://www.debian.org

next             reply	other threads:[~2009-07-23  6:40 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-07-23  6:40 Giacomo [this message]
2009-07-23  9:01 ` A general question about IP fragmented packets and netfilter Jan Engelhardt
  -- strict thread matches above, loose matches on Subject: below --
2009-07-23  9:49 Jan Engelhardt
2009-07-23  9:51 ` Jan Engelhardt
2009-07-23 10:15   ` Giacomo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=885896af0907222340m77ef2d6p9767421a608cfdee@mail.gmail.com \
    --to=delleceste@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).