Drop IP fragments of a certain protocol

Question

When conntrack is active, the iptables stack never sees a fragmented IP packet, only the reassembled one (source), so the -f test never matches.

If I want to block any fragment I could set ipfrag_high_thresh or ipfrag_time to 0 (source), but that would drop any kind of fragment. Is there anything I can do if I want to drop fragments of a certain IP protocol?

score 2 · Answer 1 · edited Sep 04 '15 at 01:26

2

I see two ways to achieve your goal, depending on your needs.

You can let reassembly run its course, then, after successful reassembly, drop the whole packet. This works only if the reassembled packet is over the interface MTU (otherwise you won't be able to distinguish between reassembled and “normal” packets). If the packets can’t be successfully reassembled they’ll get dropped anyway, but with a larger CPU overhead.

The other way is to modify the source, and make nf_defrag_ipv4 ignore packets from the protocol(s) you want to handle directly. A quick glance suggests this should work, since there's already an option (IP_NODEFRAG) available for RAW sockets that lets you bypass the reassembly code.

To be honest, I too would love to have more control over this part of the filtering, so I’ll try to get a patch in to remedy the situation.

edited Sep 04 '15 at 01:26

Giacomo1968

53,069
19
162
212

answered Sep 03 '15 at 22:54

Matyas Koszik

141
3

1

I think you should be looking at `tc` input filtering. You can do things before packets even hit the netfilter hooks. – Lorenzo Pistone Sep 03 '15 at 22:58
1

This is an interesting approach, but I can't port my ruleset to tc to avoid the mandatory defrag - after all, the stateful filtering is a core part of my setup. I also use other netfilter features to further classify the packets, not available in tc. BTW, did you solve your original problem? Did you use tc for that? – Matyas Koszik Sep 03 '15 at 23:29
I used `tc`, in fact. There are also minimal performance improvements when early filtering in `tc`, see http://meat.pisto.horse/2014/10/iptables-microbenchmark-tc-performance.html – Lorenzo Pistone Sep 05 '15 at 20:55
1

If you just want to drop packets based on a simple classification at extremely high speeds, you should to take a look at `netmap` - it can handle a 10gbit interface full of minimal sized packets with ease on a single core of a modern PC. – Matyas Koszik Sep 05 '15 at 21:23

score 1 · Answer 2 · answered Dec 24 '13 at 20:50

1

I wonder if you can use the netfilter "raw" table, which comes before most of the connection tracking hooks. It has a "NOTRACK" target you can use to exempt certain packets from conntrack, or perhaps the -f condition itself would work with --table raw.

answered Dec 24 '13 at 20:50

Steven K

383
2
9

As long as `conntrack` is loaded, `-f` is always false, because the packet is always reconstructed. – Lorenzo Pistone Dec 25 '13 at 15:05

Drop IP fragments of a certain protocol

2 Answers2