Re: IP defrag (was RE: ipchains blocking port 65535)

Tony Gale (gale@syntax.dera.gov.uk)
Wed, 17 Jan 2001 17:44:30 -0000 (GMT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Petr Matula: "Re: int. assignment on SMP + ServerWorks chipset"
Previous message: Terrence Martin: "File System Corruption with 2.2.18"

On 17-Jan-2001 Andi Kleen wrote:
>
> Connection tracking always defrags as needed.
> masquerading/NAT/iptables
> with connection tracking uses that.
>
> This means that if any of these are enabled and your machine acts
> as a
> router lots of CPU could get burned in defragmentation, and packets
> will not forwarded until all fragments arrived.

Hmm... ok, what if I'm on a single nic system using ipchains on the
input and want to always defrag before they hit the ipchains
filter, what settings would I need? No masq., no NAT. (bearing in
mind that ipchains differentiates between SYN+frag and noSYN+frag.

>
> All very nasty, but unfortunately there is no alternative.
>

Nasty but necessary. Such is life.

-tony

--- E-Mail: Tony Gale <gale@syntax.dera.gov.uk> Isn't it nice that people who prefer Los Angeles to San Francisco live there? -- Herb Caen

The views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/

Next message: Petr Matula: "Re: int. assignment on SMP + ServerWorks chipset"
Previous message: Terrence Martin: "File System Corruption with 2.2.18"