Hi, > I put a rule to drop fragments on the FORWARD chain. The rule shows up OK in > the iptables -L -v output but does not match any fragmented packets. When I > log the packets on FORWARD chain they seem to be reassembled.
Yes. > >From An email thread on this list in January 2001 connection tracking does > reassembly?? Yes. > Is there a way to tell connection tracking not to reassemble? No, not until somebody goes to the considerable length to implement that. Any code checking whole-packet content, like the conntracking (and especially the conntracking helpers), must be written in a much more complex way (read more bugs, worse maintainance) if it must directly handle fragments. In fact, each piece of such checking code then must implement most rules of defragmentation, while still not fragmenting the packets. Can you explain a bit what is your usage scenario, how does it require fragments to be moved through the box unassembled? best regards Patrick
