mirror of
https://github.com/FEX-Emu/linux.git
synced 2024-12-28 12:25:31 +00:00
6aafeef03b
Pushing original fragments through causes several problems. For example for matching, frags may not be matched correctly. Take following example: <example> On HOSTA do: ip6tables -I INPUT -p icmpv6 -j DROP ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT and on HOSTB you do: ping6 HOSTA -s2000 (MTU is 1500) Incoming echo requests will be filtered out on HOSTA. This issue does not occur with smaller packets than MTU (where fragmentation does not happen) </example> As was discussed previously, the only correct solution seems to be to use reassembled skb instead of separete frags. Doing this has positive side effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams dances in ipvs and conntrack can be removed. Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c entirely and use code in net/ipv6/reassembly.c instead. Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
---|---|---|
.. | ||
ip6_tables.c | ||
ip6t_ah.c | ||
ip6t_eui64.c | ||
ip6t_frag.c | ||
ip6t_hbh.c | ||
ip6t_ipv6header.c | ||
ip6t_MASQUERADE.c | ||
ip6t_mh.c | ||
ip6t_NPT.c | ||
ip6t_REJECT.c | ||
ip6t_rpfilter.c | ||
ip6t_rt.c | ||
ip6t_SYNPROXY.c | ||
ip6table_filter.c | ||
ip6table_mangle.c | ||
ip6table_nat.c | ||
ip6table_raw.c | ||
ip6table_security.c | ||
Kconfig | ||
Makefile | ||
nf_conntrack_l3proto_ipv6.c | ||
nf_conntrack_proto_icmpv6.c | ||
nf_conntrack_reasm.c | ||
nf_defrag_ipv6_hooks.c | ||
nf_nat_l3proto_ipv6.c | ||
nf_nat_proto_icmpv6.c | ||
nf_tables_ipv6.c | ||
nft_chain_nat_ipv6.c | ||
nft_chain_route_ipv6.c |