On Wed, May 06, 2020 at 11:46:22AM +0200, Michael Braun wrote: > Hi, > > I have a bridge with connects an gretap tunnel with some ethernet lan. > On the gretap device I use ignore-df to avoid packets being lost without > icmp reject to the sender of the bridged packet. > > Still I want to avoid packet fragmentation with the gretap packets. > So I though about adding an nftables rule like this: > > nft insert rule bridge filter FORWARD \ > ip protocol tcp \ > ip length > 1400 \ > ip frag-off & 0x4000 != 0 \ > reject with icmp type frag-needed > > This would reject all tcp packets with ip dont-fragment bit set that are > bigger than some threshold (here 1400 bytes). The sender would then receive > ICMP unreachable - fragmentation needed and reduce its packet size (as > defined with PMTU). Patches 1 and 2 are applied, thanks. Patch 3 has been merged upstream as a bugfix since VLAN should be preversed in any reject case.
