table raw { chain prerouting { type filter hook prerouting priority -300; ip daddr 179.x.x.x udp dport 61023 ip daddr set 172.25.120.2 } } Basically the first vpn TLS packet gets through |TLS: new session incoming connection from| but then the vpn stops dead in its track. Suppose that is because raw is still stateless?Yes, its stateless so reverse direction isn't translated. You can of course do this manually but icmp path mtu messages won't be translated either.
Having deployed on all systems |tcp_mtu_probing| (RFC4821) and set mtu to 9000 on ifaces seems working well, at least thus far have not experienced any adverse effects. Though openvpn may still rely on imcp path mtu... but that is a different matter altogether.
I wish though that there would be a conntrack hook in |netdev| in order to be able to move routing decisions conveniently there.
-- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
