Monday, December 12, 2011

Linux bridging will drop too big packets marked with DF

It should be obvious, but Linux will drop packets on the floor if you try to bridge packets marked as Don't Fragment (DF) which are too big for the interface. If you set a MTU on a bridge the setting will propagate to all the attached bridge links. A Linux bridge is a simple L2 device, even if you can assign an IP address to a virtual host port on the bridge. Hence, given that it does not actually routes packets, there's no place to generate the ICMP Destination Unreachable error messages that are needed to get Path MTU Discovery to converge to the right value. As long as you route instead, you're fine.

TCP streams like HTTP and SSH data transfers between my laptop and my home workstation have the DF bit set, because that's a part of RFC 1191 used for proper Path MTU Discovery. As my OpenWRT-based router had a lower MTU than the default of 1500, the communication was dropped as soon as there was a bulk of data to transmit. Interactive SSH sessions worked just fine. An easy way to debug this is to run tracepath(6) against the target. It will stop at the first hop that just drops packets instead of emitting proper error messages.