| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 08 Dec 2011 12:10:49 +0100 From: Patrick McHardy <kaber@...sh.net> To: Hans Schillstrom <hans.schillstrom@...csson.com> CC: Hans Schillstrom <hans@...illstrom.com>, "pablo@...filter.org" <pablo@...filter.org>, "jengelh@...ozas.de" <jengelh@...ozas.de>, "netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: IPv6 defrag question ? On 12/08/2011 10:12 AM, Hans Schillstrom wrote: > Hi > While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ? > > From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400 > and HMARK in PREROUTING with prio -150 > > I was expecting that the reasaembled packet whould reach HMARK not the fragments. > > (Debug print from hmark) > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:30 plen:1408 (2008::10 - 1000::1) > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:0 plen:86 (2008::10 - 1000::1) > > IPv4 do reassm. the packets not IPv6... Yeah, IPv6 currently only passes the defragmented packet through conntrack, then associates the conntrack information with the individual fragments and passes those on. I'll post patches for IPv6 NAT which will change this to behave similar to IPv4 soon. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists