On 6 September 2018 at 09:15, Florian Westphal <fw@xxxxxxxxx> wrote: > Can you queue before conntrack, i.e. in raw prerouting or output? Thanks for the suggestions. By 'queue', do you mean into nfqueue, or queue for delay? I tried placing the packets into nfqueue in raw:output, and that stopped the problem from occurring. However, I lost the benefits of connection tracking due to it. I guess I could match DNS packets there, and everything else later. Solves the DNS problem, but not my worry about UDP in general.
