We notice the following behavior:
When you have a bridge + firewall rules, but no conntrack enabled, theres no forward of fragmented packets. While there is a bridge + firewall rules, you must turn on conntrack in order to have fragmented packets forwarding. If you simply turn off the conntrack and remove all firewall rules (does not matter what the rules do), fragmented packets are forwarded normally.
You can check this out as following:
Set up a ROS as bridge. No firewall rules and no conntrack enabled;
Start pinging from host A to host B throug the bridged ports with 1473 bytes;
(At this point you should be able to get a echo reply normally)
Then, while pinging, insert a firewall rule (any firewall rule);
(At this point you shouldnt be able to get a echo reply)
By removing the firewall rules you can ping again with 1473 bytes or you will need conntrack enabled to get this working. In other words: On a ROS bridge + firewall rules (not bridge filter rules) you cant forward packet fragments unless you have conntrack enabled.
Thought this could be helpful. This was noticed in various 2.9.x ROS version. Thanks.