[Openswan Users] UDP fragmentation in Linux

Marcus Leech mleech at nortel.com
Fri Mar 4 13:05:01 CET 2005



Norbert Wegener wrote:

> Marcus Leech wrote:
>
>> ...
>>
>> I'm suspecting that the IPTABLES code is scewing up in some way, 
>> since the kernel ip_output routines call
>>  NF_HOOK, rather than passing directly to the routing-chosen hardware 
>> device.  Somewhere in all
>>  that netfilter goop, I think that the output packet fragmentation 
>> code has become broken--at least for UDP.
>>  Like I observed, ICMP ECHO packets get correctly fragmented when 
>> they exceed the local MTU.
>
>
> Did you ask the iptables people to comment on this?
>
>
No, I haven't.  I'm still doing more tests.  The system I wrote the test 
code on doesn't have any ipchains/iptables
  turned on (which doesn't necessarily mean that it isn't going through 
the IPTABLES code).

I've attached my small test program.  You can see the offening behaviour 
if you run this program, and
  use TCPDUMP in another window.  In modern TCPDUMPS, the IP flags field 
is set to [+], which means
  "more fragments to follow", but none will appear for the UDP packets 
with UDP length of 3000, since the
  MTU (for ethernet) will be 1500.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: netftgener.c
Type: text/x-csrc
Size: 1671 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050304/a1927a7b/netftgener.bin


More information about the Users mailing list