xt_TEE: set dont-fragment on cloned packets

diff --git a/doc/changelog.txt b/doc/changelog.txt
index 1c630d3d5011eb60a857443929f79e0df2f50286..a170667b04a9bbdbe262a20c0ab707007f7c0329 100644 (file)
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -3,6 +3,7 @@ HEAD
 ====
 - TEE: do rechecksumming in PREROUTING too
 - TEE: decrease TTL on cloned packet
+- TEE: set dont-fragment on cloned packets
 
 
 Xtables-addons 1.24 (March 17 2010)

diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c
index b6aa69a36d2e461c5af96b9e8c7a052ea4693a32..00cc3ad367207de1be87b1697d4aab863c2e8cb5 100644 (file)
--- a/extensions/xt_TEE.c
+++ b/extensions/xt_TEE.c
@@ -145,6 +145,7 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 {
        const struct xt_tee_tginfo *info = par->targinfo;
        struct sk_buff *skb = *pskb;
+       struct iphdr *iph;
 
 #ifdef WITH_CONNTRACK
        if (skb->nfct == &tee_track.ct_general) {
@@ -172,14 +173,17 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
         *
         * We also decrease the TTL to mitigate potential TEE loops
         * between two hosts.
+        *
+        * Set %IP_DF so that the original source is notified of a potentially
+        * decreased MTU on the clone route. IPv6 does this too.
         */
+       iph = ip_hdr(skb);
+       iph->frag_off |= htons(IP_DF);
        if (par->hooknum == NF_INET_PRE_ROUTING ||
-           par->hooknum == NF_INET_LOCAL_IN) {
-               struct iphdr *iph = ip_hdr(skb);
-
+           par->hooknum == NF_INET_LOCAL_IN)
                --iph->ttl;
-               ip_send_check(iph);
-       }
+       ip_send_check(iph);
+
 #ifdef WITH_CONNTRACK
        /*
         * Tell conntrack to forget this packet since it may get confused