Linux - set an interface to not fragment packets

Question

I am using a Linux as a router.

The machine has two NICs. This router will be used for experiments, so I have set one of it's interfaces to have a MTU that is lower than the standard (let's decide the MTU has been set to 200, for the sake of argument).

Now, most routers (or maybe all routers?) have the ability to decide if they fragments ip packets that exceed the MTU or not.

I would like to have the same behavior on my linux machine - I don't want packets to be fragmented. Oversized packets should be dropped. If the DF flag is on, I would like the interface to return an ICMP messgae ("packet to big. DF set to 1")

How can this be done?

What do you want to have happen to oversized packets? Just have them be dropped? — MadHatter, Nov 15 '12 at 13:28

score 2 · Answer 1 · answered Nov 16 '12 at 00:33

If the DF bit is set then the router, router here being any device that routes a packet from one interface to another, will not fragment. That's the purpose of allowing the host to set the DF bit because you do not want fragmentation.

Regardless, if a router fragments a packet that has the DF bit set then it is not RFC compliant. Rather or not to send an ICMP unreachable message is a different story.

Typically, you want this behavior because it allows for PMTU discovery but a lot of people disable it in fear of DoS attacks, drains routers resources to generate those messages given enough packets.

So now back to your real question ha ha, sorry if that was stuff you already knew. iptables has the ability to drop based on packet size. If you don't want to send those ICMP unreachable messages you can use iptables for that as well...

http://www.linuxtopia.org/Linux_Firewall_iptables/x2682.html

Linux - set an interface to not fragment packets

1 Answers1