On Thursday 05 August 2004 07:21, shemminger@xxxxxxxx wrote: > > Well.. iptables does not really care why the packet is oversized. It > > fragments any oversized packets. > > > > Why does the bridge need to? > > The bridge doesn't even know it's IP. The there appears to be some > ebtables code path that defragments packets, and in the process can > decide to send a skb greater than the MTU of the device. Because of > recent changes to allow bridging of an MTU size (previous limit was always > 1500), the bridge now drops skb if skb->len > dev->mtu. > > Perhaps the problem is that ebtables filter is defragments because it > is looking at the mtu of the incoming interface? It has nothing to do with ebtables. It's all about connection tracking of ipv4 packets on a transparent bridging firewall. Ct defragments packets, on the ipv4 PREROUTING hook, because it makes things easier. Ct on a transparent bridge is something people need. cheers, Bart
