Question about fragmenting and NF_IP_FORWARD

[Henrik Nordstrom]

Alexey Vyskubov wrote:

> I need to write NF hook which will completely change skb in
> NF_IP_FORWARD hook. E.g. it may change output device for the packet or
> unset DF bit.

Why FORWARD? Why not PREROUTE?

> But if the packet is too big for the original device and DF bit was set
> in original skb, it will be dropped before NF_IP_FORWARD. Actually it's
> not good because I need to take special actions for these kind of
> packets.
> Is there some way to receive the packet in some hook before it will be
> dropped?

PREROUTE.

> The second question. It seems to me that the packet can be dropped
> before NF_LOCAL_OUT hook -- if there is no route for the packet.

Correct. Routing code drops it then, just as it drops packets before
FORWARD.

iptables/netfilter plays some games with routing to have locally generated
packets rerouted when needed.

> Let's suppose that I'd like to write NF hook which will use IP-over-IP
> for handling some of packets... Again, no way to receive the packet in
> hook?

Not without having a dummy route for them I think..

Personally I would use a virtual IP device to add/remove the IP-over-IP
layer like any of the existing IP-over-IP drivers.

> The third question. It seems to me that some packets could be fragmented
> before NF hook. Hook may change routing (hence MTU for output device
> may be different with MTU used during fragmentation). Is it good?

Don't know.

--
Henrik Nordstrom
MARA Systems AB
Sweden