On Fr, 2015-05-22 at 16:32 +0200, Florian Westphal wrote: > We currently always send fragments without DF bit set. > > Thus, given following setup: > > mtu1500 - mtu1500:1400 - mtu1400:1280 - mtu1280 > A R1 R2 B > > Where R1 and R2 run linux with netfilter defragmentation/conntrack > enabled, then if Host A sent a fragmented packet _with_ DF set to B, R1 > will respond with icmp too big error if one of these fragments exceeded > 1400 bytes. > > However, if R1 receives fragment sizes 1200 and 100, it would > forward the reassembled packet without refragmenting, i.e. > R2 will send an icmp error in response to a packet that was never sent, > citing mtu that the original sender never exceeded. > > The other minor issue is that a refragmentation on R1 will conceal the > MTU of R2-B since refragmentation does not set DF bit on the fragments. > > This modifies ip_fragment so that we track largest fragment size seen > both for DF and non-DF packets, and set frag_max_size to the largest > value. > > If the DF fragment size is larger or equal to the non-df one, we will > consider the packet a path mtu probe: > We set DF bit on the reassembled skb and also tag it with a new IPCB flag > to force refragmentation even if skb fits outdev mtu. > > We will also set DF bit on each fragment in this case. > > Joint work with Hannes Frederic Sowa. > > Reported-by: Jesse Gross <je...@nicira.com> > Signed-off-by: Florian Westphal <f...@strlen.de>
And also: Acked-by: Hannes Frederic Sowa <han...@stressinduktion.org> Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
