On Fri, Nov 03, 2017 at 08:28:40PM -0600, Subash Abhinov Kasiviswanathan wrote: > Add a sysctl nf_ipv4_defrag_skip to skip defragmentation per > interface. This is set 0 to preserve existing behavior (always > defrag per interface). > > This is useful for pure ipv4 forwarding scenarios (without NAT) > in conjunction with xfrm. It appears that network stack defrags > the packets and then forwards them to xfrm which then encrypts > and then later fragments them on a different boundary compared > to the source. The reassembling happens because of conntrack, right? In this case, I'd recommend to do it like IPv6 does. I.e. reassembling the fragments, inspect the reassembled packet and if OK, send the chain of fragments instead of the reassembled packet back to the stack. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html