[Bug 48] conntrack breaks udp path mtu discovery

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Fri, 14 Feb 2003 09:02:17 +0100


laforge@netfilter.org changed:

           What    |Removed                     |Added
             Status|NEW                         |ASSIGNED

------- Additional Comments From laforge@netfilter.org  2003-02-14 09:02 -------
This is a really hard issue. 

The problem is that we _need_ to defragment at NF_IP_PRE_ROUTING in order to
have the be able to do connection tracking.  So at this point we would need to
save the sizes of all individual fragments.  This would enable us to re-fragment
to exactly the same size at POST_ROUTING. 

Another obvious approach was to check for IP_DF and see if it is bigger than the
MTU of the outgoing interface.  The problem is: before we do conntrack at
NF_IP_PRE_ROUTING we don't know what potential NAT bindings apply to this
connection/packet - and thus don't know the outgoing interface [that's why it's
called PRE_ROUTING].

And then, what happens if NAT has to resize (enlarge/shrink) a packet.  How
should we deal with this while re-fragmenting? 

I think this needs some good discussion at netfilter-devel...

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.