On 16.04, David Miller wrote: > > Netfilter may change the contents of the packet, even change its size. > > It is *really* hard to do this while keeping the original fragments > > intact. > > I keep hearing a lot of "it's hard" as the only reason we shouldn't do > this properly, and that frankly sucks. People aren't looking for a > solution and to be honest it's quite tiring. > > The common case is that the rules processed are simple, the size of > the overall packet does _not_ change, and therefore the best thing > to do is pass the entire thing as a unit with the frags in tact. > > That's the fundamental fact. It's also the fastest way to process > these packets and avoids all of these stupid max frag garbage. > > Only at the point where netfilter makes changes to the size of the > packet does it take "ownership" and get to take on the responsibility > of making sure the new resulting fragments are sane. > > But only at that point.
Agreed, that part shouldn't be hard. We need to pass the defragmented skb through the ruleset, meaning we need to pass it through the stack. That's needed since the rules depend on this. If we don't make changes, we can spit out the original fragments, but for this we need to keep a reference to them from the skb. We still need the max_frag_size thing, once a modification is made we drop the frag list reference and just regulary refragment the modified skb according to the limits. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
