Fw: [Bug 133788] New: ip_conntrack_in: Frag of proto 17

Harald Welte laforge at netfilter.org
Wed Sep 29 00:05:32 CEST 2004

On Tue, Sep 28, 2004 at 01:05:12PM -0700, David S. Miller wrote:
> If this is true, we need to fix this soon.


I think I've seen something similar in the past, though it was some
broken code in my experimental tree ;). ip_conntrack on an NFS server
has always had a bad history, I have to admit :(

Big question number 1:
First of all, why would a local loopback nfs mount do any fragmenting
in the first place?  'lo' has a MTU of 16k, so why would any piece of
code in the output path build fragments, even with rsize/wsize=8192?

The conntrack message basically means that at NF_IP_PRE_ROUTING we
suddenly see fragmented packets.  This "can never happen" since at the
same PRE_ROUTING hook we defragment just before
via ip_conntrack_defrag() -> ip_ct_gather_frags() -> ip_defrag()

Big question number 2:
How can a fragment survive ip_defrag() ?

Big question number 3:
What is this magic 8k limit?  ip_conntrack doesn't impose any arbitrary
size limitations to packets... and we just use the normal
defragmentation code.

I'm more than puzzled about this, need to do some testing.

- Harald Welte <laforge at netfilter.org>             http://www.netfilter.org/
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter-devel/attachments/20040929/b939f39a/attachment.bin

More information about the netfilter-devel mailing list