I hope Gods will forgive me, but I cannot forgive myself 8)
-ANK (981001)
We’ve seen in previous articles that sometimes large IP packets are broken up along the way into “fragments.” Ordinarily, these fragments aren’t reassembled into a packet until they reach their final destination. This causes difficulties for masquerading and transparent proxying, which need to see the whole packet to figure out what to do with it.
Hence, the kernel option CONFIG_ IP_ALWAYS_DEFRAG which defragments all packets, even the ones just passing through. This only alters two pieces of code in a single file, by moving eight lines, and both Red Hat and Debian ship kernels with this enabled for the sake of masquerading.
But consider a network where you have two separate connections to the outside world. One is the router of your choice while the other is your Linux box, set to perform packet defragmenting for you. Now imagine a fragmented packet where half the fragments pass through the Linux box, and half come in the other way. You’ll never get a complete packet, since the Linux box is holding back its half of the fragments waiting for a complete Packet to pass through. This is a fairly unusual scenario, but it can and does happen. As a workaround, kernel guru David Miller hacked a special setting into the RedHat 6.0 kernel to correct this problem for people who happen to be using transparent proxying or masquerading….
Please log in to view this content.
Not Yet a Member?
Register with LinuxMagazine.com and get free access to the entire archive, including:
