[Openswan Users] UDP fragmentation in Linux
Marcus Leech
mleech at nortel.com
Fri Mar 4 13:05:01 CET 2005
Norbert Wegener wrote:
> Marcus Leech wrote:
>
>> ...
>>
>> I'm suspecting that the IPTABLES code is scewing up in some way,
>> since the kernel ip_output routines call
>> NF_HOOK, rather than passing directly to the routing-chosen hardware
>> device. Somewhere in all
>> that netfilter goop, I think that the output packet fragmentation
>> code has become broken--at least for UDP.
>> Like I observed, ICMP ECHO packets get correctly fragmented when
>> they exceed the local MTU.
>
>
> Did you ask the iptables people to comment on this?
>
>
No, I haven't. I'm still doing more tests. The system I wrote the test
code on doesn't have any ipchains/iptables
turned on (which doesn't necessarily mean that it isn't going through
the IPTABLES code).
I've attached my small test program. You can see the offening behaviour
if you run this program, and
use TCPDUMP in another window. In modern TCPDUMPS, the IP flags field
is set to [+], which means
"more fragments to follow", but none will appear for the UDP packets
with UDP length of 3000, since the
MTU (for ethernet) will be 1500.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: netftgener.c
Type: text/x-csrc
Size: 1671 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050304/a1927a7b/netftgener.bin
More information about the Users
mailing list