On 17-Jan-2001 Andi Kleen wrote:
>
> Connection tracking always defrags as needed.
> masquerading/NAT/iptables
> with connection tracking uses that.
>
> This means that if any of these are enabled and your machine acts
> as a
> router lots of CPU could get burned in defragmentation, and packets
> will not forwarded until all fragments arrived.
Hmm... ok, what if I'm on a single nic system using ipchains on the
input and want to always defrag before they hit the ipchains
filter, what settings would I need? No masq., no NAT. (bearing in
mind that ipchains differentiates between SYN+frag and noSYN+frag.
>
> All very nasty, but unfortunately there is no alternative.
>
Nasty but necessary. Such is life.
-tony
--- E-Mail: Tony Gale <gale@syntax.dera.gov.uk> Isn't it nice that people who prefer Los Angeles to San Francisco live there? -- Herb CaenThe views expressed above are entirely those of the writer and do not represent the views, policy or understanding of any other person or official body. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Jan 23 2001 - 21:00:15 EST