On Mon, Apr 20, 2015 at 11:19:16AM +0100, Daniel Collins wrote: > Hi > > A little background: The 'socket' match is used with the tproxy > feature, so a process may bind to and spoof an arbitrary client IP > address. In iptables, the socket match is used in PREROUTING to match > any traffic addressed to such sockets, we then use that to set a mark > on the packet and force it to be routed locally rather than being > passed onto the real holder of that IP address. > > If tproxy AND iptables-controlled policy routing (i.e. set mark in > OUTPUT, use that in ip rule) is in use AND the new egress interface > has a lower MTU than the original AND the server sent us a SYN-ACK > packet with an MSS larger than the new egress interface can transmit, > Linux will generate an ICMP fragmentation needed message, but we don't > get to process that since socket cannot be used in OUTPUT. I think you can use the TCPMSS target from INPUT to mangle the mss to your mtu. I guess you're willing to avoid fragmentation as well. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html