Hi David!

On Mon, Dec 30, 2013 at 10:20:44PM -0500, David Miller wrote:

The only thing left are things like AH and ESP, which also perform
some level of validation making sure that some state exists.  And
frankly for non-tunneled IPSEC this PMTU information is absolutely
essential.

I am trying to finish the testing of these patches with ipsec.

What do you mean here by non-tunneled IPSEC? Transport mode is not an issue
with this patch as we don't push packets for transport mode through
forwarding. Tunneled mode would invoke fragmentation again. It is always
ensured that mtu in ip_forward is higher than when xfrm layer checks with
dst_mtu, so nothing should break here.

Thank you,

  Hannes