Hello André, Please double check if you have before and after right in that email. I understand it as such that the behaviour I desire is what the kernel already does?
Kind regards Noel Am 21.10.19 um 11:34 schrieb André Valentin: > Hi Noel, > > I did some tests with copy_df set. In all cases the fragmentation was done > before encryption. > Even with namespaces and net.ipv4.ip_no_pmtu_disc=0 it was not possible to > get fragmentation after encryption (like cisco is able to). > In my tests, I always used xfrm interfaces. > > But if you find other possibilities, please let me know. > > Kind regards, > > André > > Am 19.10.19 um 23:42 schrieb Noel Kuntze: >> Hello list, >> >> Does the kernel support IP fragmentation before encapsulation in any way? >> Even with XFRM interfaces or VTIs? >> I looked at the XFRM code but did not find any code that deals with >> fragmenting any packets. If the packet is too large, >> it is just discarded with an error. If the MTU of the network path is large >> enough and the packet is pre fragmented by >> having an XFRM interface with a sufficiently low MTU, then do fragments get >> encapsulated? >> >> Any enlightement would be very appreciated! >> >> Kind regards >> >> Noel >> >
signature.asc
Description: OpenPGP digital signature
