> How can a bridge forward a frame from A/B to mtu1300? It is free for user to set different MTU for bridge ports. In our case only tcp traffic between A/B and mtu 1300, and mss negotiation can make packets less than 1300. > What happens without netfilter or non-fragmented packets? Without br_netfilter it works fine, there is no defragmentation and refragmentation, fragmented packets will egress directly. Florian Westphal <fw@xxxxxxxxx> 于2019年7月30日周二 下午8:35写道: > > Rundong Ge <rdong.ge@xxxxxxxxx> wrote: > > Given following setup: > > -modprobe br_netfilter > > -echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables > > -brctl addbr br0 > > -brctl addif br0 enp2s0 > > -brctl addif br0 enp3s0 > > -brctl addif br0 enp6s0 > > -ifconfig enp2s0 mtu 1300 > > -ifconfig enp3s0 mtu 1500 > > -ifconfig enp6s0 mtu 1500 > > -ifconfig br0 up > > > > multi-port > > mtu1500 - mtu1500|bridge|1500 - mtu1500 > > A | B > > mtu1300 > > How can a bridge forward a frame from A/B to mtu1300? > > > With netfilter defragmentation/conntrack enabled, fragmented > > packets from A will be defragmented in prerouting, and refragmented > > at postrouting. > > Yes, but I don't see how that relates to the problem at hand. > > > But in this scenario the bridge found the frag_max_size(1500) is > > larger than the dst mtu stored in the fake_rtable whitch is > > always equal to the bridge's mtu 1300, then packets will be dopped. > > What happens without netfilter or non-fragmented packets? > > > This modifies ip_skb_dst_mtu to use the out dev's mtu instead > > of bridge's mtu in bridge refragment. > > It seems quite a hack? The above setup should use a router, not a bridge.
