drygdryg/zapret
1
0
Fork 0
mirror of https://github.com/bol-van/zapret.git synced 2024-11-30 14:00:52 +03:00
Code Issues Packages Projects Releases Wiki Activity

readme.eng: beautify

Browse Source
This commit is contained in:
bol-van 2022-02-06 12:38:49 +03:00
parent 1de7d8915e
commit f05e39a527
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/readme.eng.md
View File

@ -425,14 +425,14 @@ ipv4 : Linux allows to send ipv4 fragments but standard firewall rules in OUTPUT
ipv6 : There's no way for an application to reliably send fragments without defragmentation by conntrack. ipv6 : There's no way for an application to reliably send fragments without defragmentation by conntrack.
Sometimes it works, sometimes system defragments packets. Sometimes it works, sometimes system defragments packets.
Looks like kernels <4.16 have no simple way to solve this problem. Unloading of nf_conntrack module Looks like kernels <4.16 have no simple way to solve this problem. Unloading of nf_conntrack module
and its dependency nf_defrag_ipv6 helps but this severely impacts functionality. and its dependency `nf_defrag_ipv6` helps but this severely impacts functionality.
Kernels 4.16+ exclude from defragmentation untracked packets. Kernels 4.16+ exclude from defragmentation untracked packets.
See `blockcheck.sh` code for example. See `blockcheck.sh` code for example.
Sometimes it's required to load `ip6table_raw` kernel module with parameter raw_before_defrag=1. Sometimes it's required to load `ip6table_raw` kernel module with parameter raw_before_defrag=1.
In openwrt module parameters are specified after module names separated by space in files located in `/etc/modules.d`. In openwrt module parameters are specified after module names separated by space in files located in `/etc/modules.d`.
In traditional linux check whether `iptables-legacy` or `iptables-nft` are used. If legacy create the file In traditional linux check whether `iptables-legacy` or `iptables-nft` is used. If legacy create the file
`/etc/modprobe.d/ip6table_raw.conf` with the following content : `/etc/modprobe.d/ip6table_raw.conf` with the following content :
``` ```
options ip6table_raw raw_before_defrag=1 options ip6table_raw raw_before_defrag=1