Fw: [Bug 133788] New: ip_conntrack_in: Frag of proto 17
Patrick McHardy
kaber at trash.net
Wed Sep 29 00:36:55 CEST 2004
Harald Welte wrote:
>The conntrack message basically means that at NF_IP_PRE_ROUTING we
>suddenly see fragmented packets. This "can never happen" since at the
>same PRE_ROUTING hook we defragment just before
>via ip_conntrack_defrag() -> ip_ct_gather_frags() -> ip_defrag()
>
>Big question number 2:
>How can a fragment survive ip_defrag() ?
>
Pretty simple:
static unsigned int ip_conntrack_defrag(unsigned int hooknum,
struct sk_buff **pskb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
/* Previously seen (loopback)? Ignore. Do this before
fragment check. */
if ((*pskb)->nfct)
return NF_ACCEPT;
I'll send a patch later.
Regards
Patrick
More information about the netfilter-devel
mailing list