Closed angus19 closed 2 years ago
What is the reason this code is specific to ICMP ?
If I grok it right, the reassembly code is generic, so it could work for all of the protocols ? As is this patch adds a very different behavior for the icmp vs other protocols, which seems very confusing to me from user point of view..
Yes, you're right that the reassembly code is generic but here for ICMP just.
ICMP or ICMPv6 is a special case or we cannot translate them properly...
Incoming v6 fragmented TCP/UDP isn't an issue. Since existing code does thing right already.
To handle incoming v4 fragmented TCP/UDP well that is the work after. I am not expecting everything to be defragged in nat46. We may leverage existing code and rely on a hash table to retain sport and dport in the first fragment. So second and beyond fragment get a chance to be translated successfully. Fragment identifier is the key to accomplish hash.
Actually you are right, i forgot we deal with fragmented v6 already…. So yeah I would say incoming fragmented v4 is a corner case that we can discard for now. I would really like at some point to set up the CI for this thing, as without the tests it’s a bit worrying to make bigger changes :) anyway, thanks for the clarification, I will merge this one !
Require support of nf_defrag_ipv4 and nf_defrag_ipv6 kernel modules.