Re: IP defrag (was RE: ipchains blocking port 65535)

Andi Kleen (ak@suse.de)
Wed, 17 Jan 2001 19:01:26 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mo McKinlay: "Re: named streams, extended attributes, and posix"
Previous message: MEHTA,HIREN: "RE: Problems in 2.4 kernel"

On Wed, Jan 17, 2001 at 05:44:30PM -0000, Tony Gale wrote:
>
> On 17-Jan-2001 Andi Kleen wrote:
> >
> > Connection tracking always defrags as needed.
> > masquerading/NAT/iptables
> > with connection tracking uses that.
> >
> > This means that if any of these are enabled and your machine acts
> > as a
> > router lots of CPU could get burned in defragmentation, and packets
> > will not forwarded until all fragments arrived.
>
> Hmm... ok, what if I'm on a single nic system using ipchains on the
> input and want to always defrag before they hit the ipchains
> filter, what settings would I need? No masq., no NAT. (bearing in
> mind that ipchains differentiates between SYN+frag and noSYN+frag.

You probably need to just load ip_conntrack_standalone and make sure it runs.
It has a higher priority than ipchains in the prerouting chain and should just defragment
things.

Better would it be to just write a small netfilter module with a higher
priority than ipchains that always defrags.

Actually I thought I've once seen such a beast, but it doesn't seem to
be included in the main kernel now that I look for it. It's all only a few
lines of code anyways.

-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mo McKinlay: "Re: named streams, extended attributes, and posix"
Previous message: MEHTA,HIREN: "RE: Problems in 2.4 kernel"