Greetings, I have found an interoperability issue between two kernel modules: bridge and nf_defrag_ipv6. After analyzing the issue, I decided to post to this list first, assuming it would be more appropriate. However, if this should be reported to another party, please let me know and I'll be happy to follow your guidelines. I believe kernel commit 6aafeef broke forwarding of large fragmented IPv6 packets through a bridge when conntrack is enabled. That commit, when nf_defrag_ipv6 is loaded, causes br_dev_queue_push_xmit() to receive a "reassembled SKB" containing a list of fragments, instead of fragment SKBs themselves. That in turn causes the is_skb_forwardable() call to return false as it compares the reassembled packet size to the destination MTU. If the former is larger, the packet is silently dropped, even though it has been marked as ACCEPTed in ip6tables. If the above description is unclear, please let me know and I'll describe an example setup which would demonstrate the issue. I came across this problem after putting a DNSSEC-enabled DNS server behind a transparent firewall running Linux and querying for records which generate large UDP responses. -- Best regards, Michał Kępień
