problem with connection tracking with fragmentation needed icmp
error
Patrick McHardy
kaber at trash.net
Fri Nov 3 11:19:52 CET 2006
Nishit Shah wrote:
> Hi,
>
> I have a following setup
>
> machineA ------------------------------router --------------------------
> firewall ------------------------------------ machineB
> 172.16.16.2 172.16.16.1 9.9.9.1 9.9.9.2
> 192.168.1.1 192.168.1.2
>
>
> router has two interfaces, eth0 is connected to machineA with mtu of 1000,
> all other interfaces with mtu of 1500.
> if i ping from machineA to machineB with data size 1200 and DF bit set,
> packet will reach machineB, machineB will reply with DF bit set and data
> size 1200,
> upon receving this packet router sends icmp fragmentation needed and DF bit
> set message to machineB, when this packet comes to firewall conntrack marks
> that packet's state as INVALID. is it the valid case ??
I don't see how this can happen on current kernels that manually
associate locally generated ICMP errors with the original conntrack.
What kernel version are you running on the router?
More information about the netfilter-devel
mailing list