Kyle Larose <kyle@xxxxxxxxxxxx> wrote: > On 6 September 2018 at 09:15, Florian Westphal <fw@xxxxxxxxx> wrote: > > Can you queue before conntrack, i.e. in raw prerouting or output? > > Thanks for the suggestions. > > By 'queue', do you mean into nfqueue -j NFQUEUE. > I tried > placing the packets into nfqueue in raw:output, and that stopped the > problem from occurring. Yep. > However, I lost the benefits of connection > tracking due to it. What conntrack features do you use? Upon reinject the packet(s) should be picked up by conntrack. > I guess I could match DNS packets there, and > everything else later. Solves the DNS problem, but not my worry about > UDP in general. This problem is pretty much exclusive to DNS resolvers, for streams the one dropped packet doesn't really matter.
