Hi,

Please help me on issue described below,
I have 4 machine setup, M1 -> M2 -> M3 | M4. And A laptop that can be reachable through both M3 and M4.

M2 has 2 NIC conected to M3 and M4. Now I want to divide the flow coming from M1 for laptop.
At M2, I have done following,

ip6tables -t mangle -A PREROUTING -p udp -dport 80 -j MARK -set-mark 12
echo 2 udp_flow >> /etc/iproute2/rt_tables
ip -6 rule add fwmark 12 table udp_flow
ip -6 route add $laptop-ip dev eth2 table udp_flow

Now if I send UDP traffic from M1 destined to Laptop IP, then if packet size is less then 1410 bytes then I can see complete UDP packets at M4 and successfully delivered to Laptop.

But if packet size > 1410 bytes, then fragmentaion happens and I can see only 1st fragmented packet at M4, not successive fragmented packets. I searched and find out that only 1st fragmented packet have information of UDP and destination port and hence marked properly and routed. Other fragmented packets have only UDP information not destination port, so not marked and dropped at M2.

Is there any solution or rule that can be applied so that all packets (whether fragmentation is there or not) can transfer to M4 only not M3 (destination port rule is compulsory) ?

If i put only UDP rule not including destination port then there is no issue with both cases with/without fragmentation.

Waiting for your helpful reply.

Thanks,

Rahul Bhansali

There are many reasons fragmentation is not preferred, and here is another. Since packet fragmentation is an IP level function, the udp or tcp header is just payload, and it is only in the first fragment.

I suppose you could write a stateful version of the ip*table that caches the udp/tcp header and the routing or discard decision it received for fragmented packets. But it is possible for fragements to get out of order, so the first fragment might not arrive first.

A proxy firewall like socks would assemble packets before deciding to forward them or discard them, and if forwarded, they would be re-fragmented.