Assume the conntrack module is loaded (thus nf_defrag_ipv4 is loaded). Will there ever be a situation in which the raw table receives a fragmented packet? In particular, will a BPF rule (loaded through xt_bpf) like this ever return true?
ldh [6]
jset #0x1fff, match
ret #0
match:
ret #65535
I ask because I need to optimize some cBPF being used by iptables, and fragmentation checks seems like something I can get rid of, given that conntrack's fragment reassembly module hooks before anything in the raw table.
