Hi, I hope that I do ask on the right list. I'am using SYNPROXY target in production and it's really great. But I'm unable to make Linux Kernel passive PMTU discovery working when using the SYNPROXY target. I suspect that it comes from the fact that the connctrack entry for the established connexion do not match with the ICMP fragmentation needed packet the server is receiving. The setup is quite simple. iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80 --syn -j NOTRACK iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 80 -m state UNTRACKED,INVALID \ -j SYNPROXY --sack-perm --timestamp --mss 1460 --wscale 7 --ecn echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose The server using SYNPROXY is hosting a Haproxy with an MTU 1500 and a SYNPROXY MSS set to 1460. The client has an smaller MTU on his path (1400). The TCP handshake works correctly, the client send his request (GET /) then the server answer with a too big packet and receives ICMP fragmentation needed packets which are accepted by iptables rules, but the server keep retransmit too big packets and connection never works. I tried several kernel version (as now using 4.9) and as soon as I remove iptables SYNPROXY related rules (SYNPROXY and TCP no track) the passive PMTU discovery works again. Have you ever faced this issue is it a known problem when using SYNPROXY or am I facing something else ? Thank you for your time. Best Regards, -- Yannis Aribaud -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
