On Wed, 23 Apr 2003, Mathias Sundman wrote: > If a mashine on LocalNet1 sends full size packets (1500b) > to a mashine on LocalNet2, it will exceed 1500 bytes > when it´s encrypted and sent over the internet. These packets > will then be fragmented. This is fine as long as the fragments > gets through... How about using -j TCPMSS --clamp-mss-to-pmtu or setting mtu to a lower value to avoid fragmentation ? > That seemed to do the trick, but I´d like to do this only if the > original packet had the DF flag set, so my question is, is it > possible to check whether the DF flag is set or not? AFAIK there are no matches like that, but writing one would be very easy. I can do it for you if you are desperate. Though i am not a networking / bridging guru, i belive there must be a way to solve your problem without clever netfilter tricks. Regards, Maciej
