Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

2017-11-08 Thread Subash Abhinov Kasiviswanathan
We can probably skip defrag if explicit notrack is requested via rule. Hi Pablo Thanks for the suggestion. I tried this and it appears that defrag occurs before NOTRACK is hit in raw table in PREROUTING. This is because the defrag priority happens to be higher than that of RAW.

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

2017-11-07 Thread Pablo Neira Ayuso
On Tue, Nov 07, 2017 at 11:58:40AM -0700, Subash Abhinov Kasiviswanathan wrote: > >This breaks connection tracking for packets coming in via such > >interfaces. > > > >Nowadays we only enable defrag in a network namespace if the ip/nftables > >ruleset requires it, so this setting would be

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

2017-11-07 Thread Subash Abhinov Kasiviswanathan
This breaks connection tracking for packets coming in via such interfaces. Nowadays we only enable defrag in a network namespace if the ip/nftables ruleset requires it, so this setting would be counter-productive. Hi Florian This usecase is run on an Android based device, so there will be

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

2017-11-07 Thread Florian Westphal
Subash Abhinov Kasiviswanathan wrote: > Add a sysctl nf_ipv4_defrag_skip to skip defragmentation per > interface. This is set 0 to preserve existing behavior (always > defrag per interface). > > This is useful for pure ipv4 forwarding scenarios (without NAT) > in

Re: [PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

2017-11-04 Thread Steffen Klassert
On Fri, Nov 03, 2017 at 08:28:40PM -0600, Subash Abhinov Kasiviswanathan wrote: > Add a sysctl nf_ipv4_defrag_skip to skip defragmentation per > interface. This is set 0 to preserve existing behavior (always > defrag per interface). > > This is useful for pure ipv4 forwarding scenarios (without

[PATCH nf-next] netfilter: nf_defrag_ipv4: Add sysctl to disable per interface

2017-11-03 Thread Subash Abhinov Kasiviswanathan
Add a sysctl nf_ipv4_defrag_skip to skip defragmentation per interface. This is set 0 to preserve existing behavior (always defrag per interface). This is useful for pure ipv4 forwarding scenarios (without NAT) in conjunction with xfrm. It appears that network stack defrags the packets and then