Harald Welte wrote:
On Sun, Jul 29, 2001 at 08:55:18PM -0400, Brad Chapman wrote:
I am currently completing a port of the Netfilter connection
tracking subsystem from IPv4 to IPv6. Most of the features in this
port are complete, except for fragment handling, which is non-
existent. I am also not entirely sure about how to properly parse
header chains and extract various extension and layer-4 headers
for use by the connection tracking subsystem. Enclosed with this
message are my current efforts regarding IPv6 fragmentation and
IPv6 header chain parsing.
I'm not sure if your 1:1 attempt of a port is a good idea.
In IPv6, routers do not fragment packets at all.
This clashes with the current way how connection tracking for IPv4 is
implemented in netfilter (defrag at input, refrag at output).
so, don't try to add fragmentation support to the core (nobody will include
it anyway, i guess), but try to implement a connection tracking which works
without that defrag-refrag need.
(if you get this, Mr. Harald, its because I mispelled `netdev' and
the original message)
Well, okay. I thought about the possiblity of violating the RFCs, and
I stayed away from attempting to add IPv4-style fragment support. But,
are really three different things that can be done with this issue:
1. Ignore all fragments, and NF_DROP fragmented packets. Period. This one
is probably the most RFC-compliant.
2. Copy packets, hold originals, and push copies into connection
This one sounds kludgy and bloaty and violates RFCs.
3. Rewrite _everything_ to deal with fragmented packets. TBH, that's
If given a choice, and told that defragging/refragging packets on the
the RFCs, I would probably choose the first option above.
BTW, what about header chain parsing? Am I doing that right?