mirror of
https://github.com/bol-van/zapret.git
synced 2025-01-07 17:00:34 +05:00
readme: ipfrag pain notices
This commit is contained in:
parent
de3390ca75
commit
ece9324a23
@ -395,12 +395,19 @@ By default fake payload is 64 zeroes. Can be overriden using `--dpi-desync-fake-
|
|||||||
|
|
||||||
### IP fragmentation
|
### IP fragmentation
|
||||||
|
|
||||||
Modern network is very hostile to IP fragmentation. Fragmented packets are often not delivered or refragmented/reassembled
|
Modern network is very hostile to IP fragmentation. Fragmented packets are often not delivered or refragmented/reassembled on the way.
|
||||||
on the way. Linux always reassembles forwarded fragmented ipv6 if possible and it cannot be disabled.
|
|
||||||
But Linux can send fragments.
|
|
||||||
Frag position is set independently for tcp and udp. By default 24 and 8, must be multiple of 8.
|
Frag position is set independently for tcp and udp. By default 24 and 8, must be multiple of 8.
|
||||||
Offset starts from the header following ip header - transport header in most cases.
|
Offset starts from the header following ip header - transport header in most cases.
|
||||||
|
|
||||||
|
There are important nuances when working with fragments in Linux.
|
||||||
|
ipv4 : Linux allows to send ipv4 fragments but standard firewall rules in OUTPUT chain can drop them.
|
||||||
|
ipv6 : There's no way for an application to reliably send fragments without defragmentation in conntrack.
|
||||||
|
Sometimes it works, sometimes system defragments packets.
|
||||||
|
Looks like kernels <4.16 have no simple way to solve this problem. Unloading of nf_conntrack module
|
||||||
|
and its dependency nf_defrag_ipv6 helps but this severe impacts functionality.
|
||||||
|
Kernels 4.16+ exclude from defragmentation untracked packets.
|
||||||
|
See blockcheck.sh code for example.
|
||||||
|
|
||||||
|
|
||||||
## tpws
|
## tpws
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user