Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > On Thu, Jun 14, 2012 at 08:17:35AM +0200, Hans Schillstrom wrote: > > I think it is wrong to always force the DF bit in IPv4, it's better > > to have an option If an application don't set the DF bit, usually it > > doesn't expect to get an icmp back either. The result is that the > > packet will be dropped... > > > > To retain backwards compatibility I suggest adding a new option like > > > > --ipv4-df-copy Do not force "Don't Fragment" on the copied packet > > just copy the bit. > > > > In IPv6 we don't have that option, so nothing has to be done there. > > --- a/net/netfilter/xt_TEE.c > > +++ b/net/netfilter/xt_TEE.c > > @@ -117,7 +117,8 @@ tee_tg4(struct sk_buff *skb, const struct xt_action_param *par) > > * decreased MTU on the clone route. IPv6 does this too. > > */ > > iph = ip_hdr(skb); > > - iph->frag_off |= htons(IP_DF); > > + if (!info->df_copy) > > + iph->frag_off |= htons(IP_DF); Wouldn't it make more sense to just remove the iph->frag_off |= htons(IP_DF); line? I don't think forcing DF is a good idea. Or are you dealing with some application that sets DF, but then fails to handle the icmp error? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
