Re: IP defrag (was RE: ipchains blocking port 65535)

Andi Kleen (ak@suse.de)
Wed, 17 Jan 2001 18:35:47 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Terrence Martin: "File System Corruption with 2.2.18"
Previous message: david: "need help raid and 2.4.0"

On Wed, Jan 17, 2001 at 05:15:54PM -0000, Tony Gale wrote:
>
> On 17-Jan-2001 Jussi Hamalainen wrote:
> > On Wed, 17 Jan 2001, Tony Gale wrote:
> >
> >> It looks like this is due to the odd way in which ipchains handles
> >> fragments. Try:
> >>
> >> echo 1 > /proc/sys/net/ipv4/ip_always_defrag
> >
> > Thanks, this seems to do the trick. Does this oddity still exist
> > in 2.4?
> >
>
> Well, I haven't found it, but there is
> /proc/sys/net/ipv4/ipfrag_high_thresh
> /proc/sys/net/ipv4/ipfrag_low_thresh
> /proc/sys/net/ipv4/ipfrag_time
>
> Perhaps 2.4 always defrags packets by default. Anyone confirm? This
> is pretty much needed for any kind of firewall/masquerading system.

Connection tracking always defrags as needed. masquerading/NAT/iptables
with connection tracking uses that.

This means that if any of these are enabled and your machine acts as a
router lots of CPU could get burned in defragmentation, and packets
will not forwarded until all fragments arrived.

All very nasty, but unfortunately there is no alternative.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Terrence Martin: "File System Corruption with 2.2.18"
Previous message: david: "need help raid and 2.4.0"