Vasily Averin <vvs@xxxxxxxxxxxxx> wrote: > We got report about problem on RHEL6-based OpenVZ kernel: > large UDP and ICMP packets was dropped on bridge without incrementing of any failcounters. > Connection tracking was disabled on this node , nf_conntrack module was unloaded > Ftrace pointed that it was happen because nfct check. Right. If you unload the conntrack module this bug triggers since nf_defrag_ipv4 will still defragment ipv4 packets (and thus needs refragmentation). > Therefore I believe that my patch is still correct, however now I think we also need > to remove #if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV4) in br_nf_dev_queue_xmit(). I don't think so, DEFRAG_IPV4 is dependency glue, so it shouldn't be possible to build kernel with CONNTRACK_IPV4=n and DEFRAG_IPV4=(m|y). Could you please formally submit your patch for inclusion in nf.git? For some reason I don't see your patch in http://patchwork.ozlabs.org/project/netfilter-devel/list/ Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html