Hi, I have a bridge with connects an gretap tunnel with some ethernet lan. On the gretap device I use ignore-df to avoid packets being lost without icmp reject to the sender of the bridged packet. Still I want to avoid packet fragmentation with the gretap packets. So I though about adding an nftables rule like this: nft insert rule bridge filter FORWARD \ ip protocol tcp \ ip length > 1400 \ ip frag-off & 0x4000 != 0 \ reject with icmp type frag-needed This would reject all tcp packets with ip dont-fragment bit set that are bigger than some threshold (here 1400 bytes). The sender would then receive ICMP unreachable - fragmentation needed and reduce its packet size (as defined with PMTU). This patch series 1. adds frag-needed ipv4 flag to nftables 2. enables to use this with bridge vlans. For IPv6, this would need ICMPV6_PKT_TOOBIG instead of ICMPV6_DEST_UNREACH in nft_reject_br_send_v6_unreach, so this is not part of this series. Regards, M. Braun -- 2.20.1
