On Mon, Jun 30, 2008 at 5:07 PM, Fulvio Ricciardi <fulvio.ricciardi@xxxxxxxxxxxxx> wrote:
Just to verify, you mean that with no fragmentation, large pings go through if and only if bridge-nf-call-iptables is disabled?
I would expect large pings to be dropped irregardless of the bridge-nf-call-iptables option when the no fragmentation bit is set, based on your scenario.
I ping across the bridge. If instead a ping from the bridge
>
> That mostly rules out other devices in the path as the
> cause of the problem. There's just one chance of a
> netfilter interaction that I can think of: netfilter may
> cause fragments to be recombined, without netfilter the
> fragments could be bridged. Are you running the ping
> command from the bridge itself, or across the bridge? (I
> presume across the bridge because you are discussing the
> FORWARD chain only)
itself, all works right.
Yes, in any case (either ping -s 1472 and ping -s 1473) the
>
> Do the large ping requests show up in the iptables
> counters?
packets are counted in the FORWARD chain.
it's the same
>
> What happens if you set no fragmentation when you run
> ping?
Just to verify, you mean that with no fragmentation, large pings go through if and only if bridge-nf-call-iptables is disabled?
I would expect large pings to be dropped irregardless of the bridge-nf-call-iptables option when the no fragmentation bit is set, based on your scenario.
Thanks
Fulvio
--------------------------------------------------------------------
Fulvio Ricciardi
web: http://www.zeroshell.net/eng/
skype: zeroshellnet
Phone: +3908321835630
_______________________________________________ Bridge mailing list Bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/bridge
