[Shorewall-users] shorewall6: IP fragementation getting blocked?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hey,

I have a setup that has one machine communicating to a server using UDP 
over IPv6. For specifics, it is using collectd with a boosted 
MaxPacketSize in the network config.

What this means is there is some IP fragmentation happening, and that 
is getting REJECTed. My policy is to REJECT, and I have an ALLOW for the 
particular communication I want. What I'm getting in my logs is (I've 
logged the ACCEPT rule for clarity):

Dec  4 16:11:19 xxxx kernel: [67682.239124] 
Shorewall:int2dmz:ACCEPT:IN=br1 OUT=br0 
SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 
DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=1496 TC=0 HOPLIMIT=63 
FLOWLBL=0 FRAG:0 INCOMPLETE ID:56a39152 PROTO=UDP SPT=37801 DPT=25826 
LEN=1905
Dec  4 16:11:19 xxxx kernel: [67682.239148] 
Shorewall:int2dmz:REJECT:IN=br1 OUT=br0 
SRC=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx 
DST=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx LEN=505 TC=0 HOPLIMIT=63 
FLOWLBL=0 FRAG:1448 ID:56a39152 PROTO=UDP

The rule I have is:
ACCEPT:info     int:br1:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \

dmz:br0:[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx] \
                                 udp     25826

Does anyone have any ideas on how I can ALLOW this fragmentation?

May be a red herring, but if I go over IPv4, I don't get the same 
REJECT, and it appears the data is getting sent.

Many thanks for any responses.

Cheers,

Hugh