Suricata

I am running Suricata in AF_PACKET IPS mode, and I am seeing this error when MTU on two interfaces is 1500:

[ERRCODE: SC_ERR_SOCKET(200)] - Sending packet failed on socket 11: Message too long

No TCP traffic appears to be getting through at all.

Testing with iperf revealed that the connection works when MSS is 1458 and below. This would imply that there is a problem with packets larger than 1498 bytes (1458 + 40 TCP/IP header).

iperf -c 192.168.1.1 -M 1458

I then set the MTU of the interfaces Suricata was bound to to 1502. This allowed normal TCP traffic to get through.

The hardware here is unusual:
Exynos 5422 SoC (ARMv7)
ASIX AX88179 USB 3.0 GigE adapters

Kernel 3.17 (Fedora 21)
Suricata 2.07
GRO disabled on both interfaces.

From suricata.yaml:

af-packet:
  - interface: eth0
    threads: 8
    defrag: yes
    cluster-type: cluster_flow
    cluster-id: 98
    copy-mode: ips
    copy-iface: eth1
    buffer-size: 64535
    use-mmap: yes
  - interface: eth1
    threads: 8
    cluster-id: 97
    defrag: yes
    cluster-type: cluster_flow
    copy-mode: ips
    copy-iface: eth0
    buffer-size: 64535
    use-mmap: yes

These pair of interfaces work fine in a normal bridge config.