3

IP datagram should be reassemble in the termination of the path because the fragments may arrive from different paths. I think Netfilter need to reassemble a IP datagram to inspect the whole payload to see if it matchs a given filter rule (I am looking for a official source to confirm when netfilter do reassembly). When the IP fragments are forwarded so the host running netfilter is not the end of the path, does netfilter wait for the IP fragments and reassemble them? What happen if a given fragment dont arrive because it follows a different path?

MABC
  • 203
  • 1
  • 5
  • 11
  • I think you should clarify your situation and wishes. Your question is too unclear. – Halfgaar Jan 12 '15 at 19:55
  • Doesn't this section of the wikipedia article answer your question? http://en.wikipedia.org/wiki/Netfilter#Packets_defragmentation – Zoredache Jan 12 '15 at 20:40
  • `What happen if ... because it follows a different path?` - The connection tracking functionality of netfilter assumes that it is the only path. If your topology has multiple paths then connection tracking functionality, and most of netfilter just isn't going to work. – Zoredache Jan 12 '15 at 20:43
  • 1
    When i was at the university my teacher said that if a router need to fragment due to the MTU the IP fragments should be reassembled at the destination host and not at the next hop. This is because IP fragments may follow different paths. I wondered what happens if netfilter need to inspect the payload of the datagram to track the connection state of a forwarded packet. As i see netfilter in a router will try to reassemble the fragments even if the packet is forwarded so if some of the IP fragments arrive to the destination host using another path different than this router it wont work. – MABC Jan 12 '15 at 21:39
  • Most modern operating systems since Windows 95 have been using Path MTU Discovery by default: in that technique, all outgoing packets are sent with the "Don't Fragment" bit set. If a router would need to fragment a packet for a link that has a smaller MTU, it will send back an ICMP error packet "Fragmentation Needed" instead. That will cause the sender to reduce the outgoing packet size for that connection at the source. This was found to be more efficient than fragmenting packets mid-travel... but if someone blocks all ICMP, it breaks down. – telcoM Nov 12 '18 at 10:04

0 Answers0