Fw: [Bug 133788] New: ip_conntrack_in: Frag of proto 17

Harald Welte laforge at netfilter.org
Wed Sep 29 12:11:08 CEST 2004


On Wed, Sep 29, 2004 at 10:41:31AM +0200, Henrik Nordstrom wrote:

> will get fragmented (by conntrack) and then reinjected..  has it been 
> fixed so the reinjected traffic (which is the same skbuff) has it's 
> conntrack state cleared?

no, the nfct remains the same, so we just ignore it from conntrack point
of view (NF_ACCEPT very early, see patrick's patch).

> I remember this issue coming up before wrt NAT where loopback packets were 
> seen as NEW twice, but I don't remember what the fix was.

No, this shouldn't happen (now anymore?), since the nfct of
LOCAL_OUT/POST_ROUTING is still present in PRE_ROUTING/LOCAL_IN.

I am not sure whether we can make this 'optimiziation'.  Thinking of TCP
window tracking and someone having packet filter rules for the loopback
device...  But at the moment I cannot think why conntrack'ing the packet
twice would make any difference at all.

NAT on loopback connections.  *sigh*.  I think this is beyond my
imagination at this point.

Most firewalls I've deployed have NOTRACK rules for loopback traffic, so
I tend not to see those issues.

> Regards
> Henrik

-- 
- Harald Welte <laforge at netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter-devel/attachments/20040929/7bdf4ee6/attachment.bin


More information about the netfilter-devel mailing list