SRU Justification: Impact:
This bug causes issues when ip6tables modules are loaded with IPv6 fragmented packets traversing a bridge. The extant conntrack processing will reassemble the IPv6 fragments for netfilter processing, but is incapable of re-fragmenting these datagrams for subsequent forwarding. This causes the fragmented IPv6 datagrams to be dropped. Fix: This is resolved by backporting functionality from mainline that re-fragments the IPv6 datagrams upon bridge egress. Testcase: The patch commit log includes a test case; to summarize: A bridge is configured with two ports and interfaces are attached to these ports. A traffic source beyond one port generates fragmented IPv6 datagrams, e.g., ping6 -s 2000, destined for a host beyond the bridge. With ip6tables modules unloaded, the IPv6 fragments will traverse the bridge. Loading ip6tables, e.g., "ip6tables -t nat -L", will cause IPv6 fragmented datagrams to be dropped on the unpatched kernel. These datagrams are correctly forwarded with the patch applied. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1463911 Title: IPV6 fragmentation and mtu issue To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1463911/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs