>>  - It should be part of IP-Filter. Doing NAT is a good excuse to touch
>>    parts of packets we never should touch when acting as a router.
> This doesn't help machines that have *real* IP addresses behind the
> router.

Nobody says you have to actually do NAT with ipnat.

> It doesn't belong in ipnat.  It's a hack to begin with (even with
> NAT, you can manually modify the MSS of the internal boxes), but if
> it's to be added, it needs to be applied uniformly to NAT or non-NAT
> internal machines.

...which is not, as far as I can see, a reason for splitting it out
from ipnat.  I think rolling it into ipnat is about as good a place for
it as you're going to find.  As the first message pointed out, NAT
already violates layering in the same way MSS clamping does, and (also
like MSS clamping) is an "it doesn't really _fix_ anything, but it
makes data flow while breaking little enough to be useful to a
nontrivial set of people" paper-over-the-problem thing.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B