Hi, > Gesendet: Dienstag, 04. Mai 2021 um 13:42 Uhr > Von: "Pablo Neira Ayuso" <pablo@xxxxxxxxxxxxx> > You also need TCP clamp MTU in a non-flowtable setup. hi, thats clear now, but i guess i had not much problems till now because of Path discovery > > $ifwan is my ppp8, and "tcp flags syn" imho should match syn and syn+ack. > > syn+ack matches iifname $ifwan. imho this depends on the initiator of the connection. if i try to establish connection from my lan, this is true, and mss is set by oifname ppp0. Afair SYN-ACK from "Server" does use my size for syn-ack (if it is smaller that its size), or am i wrong? if i initiate a connection from the public internet, i need to match iifname ppp0, but only if my ISP does not modify mss on pushing the initial SYN-Packet through the ppp-tunnel. But afair in this case i modify mss with oifname, but on response (SYN-ACK) i send back to the initiator. > Only the two initial syn and syn+ack packets follow the classic > forwarding path. Therefore, the FORWARD chain in your example above is > evaluated only for the two initial packets of the TCP connection. > > You should add the 'flow add' rule at the bottom of your ruleset in > your example above. good to know, so flowtable does always "accept" matching packets (here all udp/tcp), right? and final foward-policy does neyer hit if flowtable condition matches. regards Frank
