From ba356367182e055ffb1ba6c80651540f7dc7797e Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 26 Mar 2010 23:48:29 +0100 Subject: [PATCH] xt_TEE: set dont-fragment on cloned packets --- doc/changelog.txt | 1 + extensions/xt_TEE.c | 14 +++++++++----- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/doc/changelog.txt b/doc/changelog.txt index 1c630d3..a170667 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -3,6 +3,7 @@ HEAD ==== - TEE: do rechecksumming in PREROUTING too - TEE: decrease TTL on cloned packet +- TEE: set dont-fragment on cloned packets Xtables-addons 1.24 (March 17 2010) diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c index b6aa69a..00cc3ad 100644 --- a/extensions/xt_TEE.c +++ b/extensions/xt_TEE.c @@ -145,6 +145,7 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par) { const struct xt_tee_tginfo *info = par->targinfo; struct sk_buff *skb = *pskb; + struct iphdr *iph; #ifdef WITH_CONNTRACK if (skb->nfct == &tee_track.ct_general) { @@ -172,14 +173,17 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par) * * We also decrease the TTL to mitigate potential TEE loops * between two hosts. + * + * Set %IP_DF so that the original source is notified of a potentially + * decreased MTU on the clone route. IPv6 does this too. */ + iph = ip_hdr(skb); + iph->frag_off |= htons(IP_DF); if (par->hooknum == NF_INET_PRE_ROUTING || - par->hooknum == NF_INET_LOCAL_IN) { - struct iphdr *iph = ip_hdr(skb); - + par->hooknum == NF_INET_LOCAL_IN) --iph->ttl; - ip_send_check(iph); - } + ip_send_check(iph); + #ifdef WITH_CONNTRACK /* * Tell conntrack to forget this packet since it may get confused