I maintain a routing machine for my family (me being in high school).
Recently, one of my luser friend sent me (from more than one computer)
UDP packets with many thousands of fragments. I do not know where the
bottleneck was, but obviously something in the kernel was bogged down.
TCPDump showed packets arrived 10 minutes ago (as the last fragment
arrived, kernel finally put together packets that started recieving 10
minutes ago.) So on every incoming packets, there was a delay of many
minutes before it was processed.
I read somethign about how inefficient and memory consuming
reconstructing packets are, so I assume it's that.
I put a stop to it by setting -1 to /proc/sys/net/ipv4/ipfrag_*. That
wasn't too elegant because now my NFS won't work, because it also uses
fragmented udp packets.
I can't do anything on netfilter level, because by the time it gets
there, it's already reassembled by the kernel, apparently.
For example, inserting in PREROUTING in mangle (or anywhere else for
that matter)
-f -j DROP
will still let my NFS work, even though the fragmented packets are not
allowed through.
but inserting
-p udp -j DROP
will stop my NFS. (for obvious reasons)
If there is a way to disable fragmented packets on only one
interface, my problem would go away. I was also looking into iproute2
stuff and "tc" command. Well, I'm also not sure when those gets applied,
and have barely an idea on how to use it, since there seems to be no
documentation! I've scoured the net, there is absolutely zero
documentation on fragmented packets.
So, where does fragmented packets get defragmented and what situations?
Where does "tc" command rule get applied? Is there an even better way to
resolve this situation?
Sorry for such lengthy story, and thank you in advance.
--
--Seunghun T. Lee
