Fw: [Bug 133788] New: ip_conntrack_in: Frag of proto 17
Harald Welte
laforge at netfilter.org
Wed Sep 29 12:11:08 CEST 2004
On Wed, Sep 29, 2004 at 10:41:31AM +0200, Henrik Nordstrom wrote:
> will get fragmented (by conntrack) and then reinjected.. has it been
> fixed so the reinjected traffic (which is the same skbuff) has it's
> conntrack state cleared?
no, the nfct remains the same, so we just ignore it from conntrack point
of view (NF_ACCEPT very early, see patrick's patch).
> I remember this issue coming up before wrt NAT where loopback packets were
> seen as NEW twice, but I don't remember what the fix was.
No, this shouldn't happen (now anymore?), since the nfct of
LOCAL_OUT/POST_ROUTING is still present in PRE_ROUTING/LOCAL_IN.
I am not sure whether we can make this 'optimiziation'. Thinking of TCP
window tracking and someone having packet filter rules for the loopback
device... But at the moment I cannot think why conntrack'ing the packet
twice would make any difference at all.
NAT on loopback connections. *sigh*. I think this is beyond my
imagination at this point.
Most firewalls I've deployed have NOTRACK rules for loopback traffic, so
I tend not to see those issues.
> Regards
> Henrik
--
- Harald Welte <laforge at netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : /pipermail/netfilter-devel/attachments/20040929/7bdf4ee6/attachment.bin
More information about the netfilter-devel
mailing list