Subash Abhinov Kasiviswanathan <subashab@xxxxxxxxxxxxxx> wrote: > Add a sysctl nf_ipv4_defrag_skip to skip defragmentation per > interface. This is set 0 to preserve existing behavior (always > defrag per interface). > > This is useful for pure ipv4 forwarding scenarios (without NAT) > in conjunction with xfrm. It appears that network stack defrags > the packets and then forwards them to xfrm which then encrypts > and then later fragments them on a different boundary compared > to the source. This breaks connection tracking for packets coming in via such interfaces. Nowadays we only enable defrag in a network namespace if the ip/nftables ruleset requires it, so this setting would be counter-productive. > An example of this usage is for fixing wifi calling on networks > where certain routers are configured to drop fragments explicitly. Yay... does that happen for all frags or is this related to df bit somehow? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
