lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Wed, 13 Jan 2010 11:15:31 +0800
From:	Shan Wei <>
To:	Patrick McHardy <>
CC:	David Miller <>,,
	"" <>
Subject: Re: [RFC][PATCH] IP: Send a fragment reassembly time exceeded packet
 when enabling connection track

Patrick McHardy wrote, at 01/05/2010 01:44 PM:
> Shan Wei wrote:
>> Default, a host may send a fragment reassembly time exceeded packet
>> (ICMP Time Exceeded Message with code value of 1) when defraging fragments timeout.
>> But, when enabling connection track, a host can't send the packet.
>> Because, the module of nf_defrag_ipv4 selected by connection track is registered 
>> in PRE_ROUTING HOOK and assembles all accepted fragments(here, not begin to routing).
>> After defrag timeout, the host can't send fragment reassembly time exceeded packet, 
>> because of lack of router information.
>> RFC 792 says:
>>>>>>   If a host reassembling a fragmented datagram cannot complete the
>>>>>>   reassembly due to missing fragments within its time limit it
>>>>>>   discards the datagram, and it may send a time exceeded message.
>>>>>>   If fragment zero is not available then no time exceeded need be
>>>>>>   sent at all.
>>>>>> Read more:
>> So, the patch try to fix it with filling router information before sending fragment reassembly
>> time exceeded packet when defrag timeout.
> I guess the question is whether we really want to send an ICMP
> message in this case. The above quote applies to end hosts,

Yes, what you guess is what i want to ask. :-)
Should end hosts which are using conntrack send a fragment reassembly time exceeded message?

> while conntrack is also (probably more commonly) used on routers,
> which normally shouldn't attempt reassembly.  

There are two point:
1.Take security into account, end hosts also used conntrack. 

  For example: When a host is attacked by denial of service TCP flaws, RedHat used the conntrack&recent
  match to limit the TCP connections.
  About details, see the phenomenon description:

  See RedHat's solution:

2.On the latest kernel, a router on which the conntrack is used, reassemble fragments and 
  forward reassembled intact packet. This implementation is not coincide with what you said.

  nf_defrag_ipv4 module is registered on PRE_ROUTING hook with the highest priority. So, search router table 
  after completing the reassembly and forward it to destination host.

If I miss something, please tell me.

Shan Wei

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists