From: Jan Engelhardt <jengelh@medozas.de>
Date: Fri, 26 Mar 2010 22:48:29 +0000 (+0100)
Subject: xt_TEE: set dont-fragment on cloned packets
X-Git-Tag: v1.25~6^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba356367182e055ffb1ba6c80651540f7dc7797e;p=thirdparty%2Fxtables-addons.git

xt_TEE: set dont-fragment on cloned packets
---

diff --git a/doc/changelog.txt b/doc/changelog.txt
index 1c630d3..a170667 100644
--- a/doc/changelog.txt
+++ b/doc/changelog.txt
@@ -3,6 +3,7 @@ HEAD
 ====
 - TEE: do rechecksumming in PREROUTING too
 - TEE: decrease TTL on cloned packet
+- TEE: set dont-fragment on cloned packets
 
 
 Xtables-addons 1.24 (March 17 2010)
diff --git a/extensions/xt_TEE.c b/extensions/xt_TEE.c
index b6aa69a..00cc3ad 100644
--- a/extensions/xt_TEE.c
+++ b/extensions/xt_TEE.c
@@ -145,6 +145,7 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct sk_buff *skb = *pskb;
+	struct iphdr *iph;
 
 #ifdef WITH_CONNTRACK
 	if (skb->nfct == &tee_track.ct_general) {
@@ -172,14 +173,17 @@ tee_tg4(struct sk_buff **pskb, const struct xt_target_param *par)
 	 *
 	 * We also decrease the TTL to mitigate potential TEE loops
 	 * between two hosts.
+	 *
+	 * Set %IP_DF so that the original source is notified of a potentially
+	 * decreased MTU on the clone route. IPv6 does this too.
 	 */
+	iph = ip_hdr(skb);
+	iph->frag_off |= htons(IP_DF);
 	if (par->hooknum == NF_INET_PRE_ROUTING ||
-	    par->hooknum == NF_INET_LOCAL_IN) {
-		struct iphdr *iph = ip_hdr(skb);
-
+	    par->hooknum == NF_INET_LOCAL_IN)
 		--iph->ttl;
-		ip_send_check(iph);
-	}
+	ip_send_check(iph);
+
 #ifdef WITH_CONNTRACK
 	/*
 	 * Tell conntrack to forget this packet since it may get confused