Jan Engelhardt <jengelh@xxxxxxx> 于2019年8月26日周一 下午3:59写道: > > > On Tuesday 2019-07-30 14:35, Florian Westphal wrote: > >Rundong Ge <rdong.ge@xxxxxxxxx> wrote: > >> Given following setup: > >> -modprobe br_netfilter > >> -echo '1' > /proc/sys/net/bridge/bridge-nf-call-iptables > >> -brctl addbr br0 > >> -brctl addif br0 enp2s0 > >> -brctl addif br0 enp3s0 > >> -brctl addif br0 enp6s0 > >> -ifconfig enp2s0 mtu 1300 > >> -ifconfig enp3s0 mtu 1500 > >> -ifconfig enp6s0 mtu 1500 > >> -ifconfig br0 up > >> > >> multi-port > >> mtu1500 - mtu1500|bridge|1500 - mtu1500 > >> A | B > >> mtu1300 > > > >How can a bridge forward a frame from A/B to mtu1300? > > There might be a misunderstanding here judging from the shortness of this > thread. > > I understood it such that the bridge ports (eth0,eth1) have MTU 1500, yet br0 > (in essence the third bridge port if you so wish) itself has MTU 1300. > > Therefore, frame forwarding from eth0 to eth1 should succeed, since the > 1300-byte MTU is only relevant if the bridge decides the packet needs to be > locally delivered. Under this setup when I do "ping B -l 2000" from A, the fragmented packets will be dropped by bridge. When the "/proc/sys/net/bridge/bridge-nf-call-iptables" is on, bridge will do defragment at PREROUTING and re-fragment at POSTROUTING. At the re-fragment bridge will check if the max frag size is larger than the bridge's MTU in br_nf_ip_fragment(), if it is true packets will be dropped. And this patch use the outdev's MTU instead of the bridge's MTU to do the br_nf_ip_fragment.
