Linux Ethernet Bridging - Sep 2014 - [Bridge] Forwarding large fragmented IPv6 packets broken by nf_defrag_ipv6

Greetings,

I have found an interoperability issue between two kernel modules:
bridge and nf_defrag_ipv6. After analyzing the issue, I decided to post
to this list first, assuming it would be more appropriate. However, if
this should be reported to another party, please let me know and I'll be
happy to follow your guidelines.

I believe kernel commit 6aafeef broke forwarding of large fragmented
IPv6 packets through a bridge when conntrack is enabled. That commit,
when nf_defrag_ipv6 is loaded, causes br_dev_queue_push_xmit() to
receive a "reassembled SKB" containing a list of fragments, instead of
fragment SKBs themselves. That in turn causes the is_skb_forwardable()
call to return false as it compares the reassembled packet size to the
destination MTU. If the former is larger, the packet is silently
dropped, even though it has been marked as ACCEPTed in ip6tables.

If the above description is unclear, please let me know and I'll
describe an example setup which would demonstrate the issue. I came
across this problem after putting a DNSSEC-enabled DNS server behind a
transparent firewall running Linux and querying for records which
generate large UDP responses.

-- 
Best regards,
Micha? K?pie?