On Wed, Jan 17, 2001 at 05:44:30PM -0000, Tony Gale wrote:
>
> On 17-Jan-2001 Andi Kleen wrote:
> >
> > Connection tracking always defrags as needed.
> > masquerading/NAT/iptables
> > with connection tracking uses that.
> >
> > This means that if any of these are enabled and your machine acts
> > as a
> > router lots of CPU could get burned in defragmentation, and packets
> > will not forwarded until all fragments arrived.
>
> Hmm... ok, what if I'm on a single nic system using ipchains on the
> input and want to always defrag before they hit the ipchains
> filter, what settings would I need? No masq., no NAT. (bearing in
> mind that ipchains differentiates between SYN+frag and noSYN+frag.
You probably need to just load ip_conntrack_standalone and make sure it runs.
It has a higher priority than ipchains in the prerouting chain and should just
defragment
things.
Better would it be to just write a small netfilter module with a higher
priority than ipchains that always defrags.
Actually I thought I've once seen such a beast, but it doesn't seem to
be included in the main kernel now that I look for it. It's all only a few
lines of code anyways.
-Andi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
