[Ewrt-devel] Configuration

Thu Jun 10 15:43:35 PDT 2004

This patch looks better than the one I made.  I had
CONFIG_IP_NF_TARGET_TCPMSS set but had not touched
CONFIG_IP_NF_MATCH_TCPMSS. 

I would like to include this patch in Ewrt.  Have you tested it in
either a pptp or PPPoE scenario?

-Irving

On Thu, 2004-06-10 at 06:57, Tom Goetz wrote:
> Irving Popovetsky wrote:
> 
> >Hi Tom,
> >
> >On Wed, 2004-06-09 at 05:34, Tom Goetz wrote:
> >  
> >
> >>There are two competing configuration systems for the router. 
> >>src/cy_config.mak and make menuconfig in src/router. Both define 
> >>CONFIG_* variables. I would like to move variables that EWRT will allow  
> >>configuration changes to from cy_config.mak into the menuconfig system. 
> >>This would allow building of various flavors of EWRT with a make 
> >>menuconfig in src/router alone.
> >>
> >>What do you think?
> >>    
> >>
> >
> >You're right, it is somewhat convoluted.   I haven't really used the
> >supplied conf/mconf tool.  cy_conf.mak is included by lots of makefiles
> >and seems to lay out the default variables (which are then overridden?)
> >but I never really touch that either.
> >
> >Do you think you could get the menuconfig tool to do something useful? 
> >If not, I'm thinking about just removing it.
> >
> >
> >  
> >
> I think menuconfig offers a little more value if a broad group of people 
> are building. If its just a core group of developers, than it offers no 
> extra value. The extra value is in the text explanations attached to the 
> config value in the menu. If your moving towards just using 
> cy_config.mak I can move my new config options and any options that just 
> appear in router/.config into cy_config.mak.
> 
> I've also been working on a fix to path mtu issues. Here's a patch 
> relative to ewrt/src :
> 
> Index: Linux/Linux/.config
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/linux/linux/.config,v
> retrieving revision 1.1.1.1
> diff -c -r1.1.1.1 .config
> *** linux/linux/.config 24 Mar 2004 00:08:47 -0000      1.1.1.1
> --- linux/linux/.config 10 Jun 2004 13:52:01 -0000
> ***************
> *** 311,317 ****
>   # CONFIG_IP_NF_MATCH_AH_ESP is not set
>   # CONFIG_IP_NF_MATCH_LENGTH is not set
>   # CONFIG_IP_NF_MATCH_TTL is not set
> ! # CONFIG_IP_NF_MATCH_TCPMSS is not set
>   # CONFIG_IP_NF_MATCH_HELPER is not set
>   CONFIG_IP_NF_MATCH_STATE=y
>   # CONFIG_IP_NF_MATCH_CONNTRACK is not set
> --- 311,317 ----
>   # CONFIG_IP_NF_MATCH_AH_ESP is not set
>   # CONFIG_IP_NF_MATCH_LENGTH is not set
>   # CONFIG_IP_NF_MATCH_TTL is not set
> ! CONFIG_IP_NF_MATCH_TCPMSS=y
>   # CONFIG_IP_NF_MATCH_HELPER is not set
>   CONFIG_IP_NF_MATCH_STATE=y
>   # CONFIG_IP_NF_MATCH_CONNTRACK is not set
> Index: router/rc/firewall.c
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/router/rc/firewall.c,v
> retrieving revision 1.2
> diff -c -r1.2 firewall.c
> *** router/rc/firewall.c        21 Apr 2004 20:28:15 -0000      1.2
> --- router/rc/firewall.c        10 Jun 2004 13:52:02 -0000
> ***************
> *** 1182,1190 ****
>         save2file("-A FORWARD -m state --state INVALID -j DROP\n");
> 
>         /* Clamp TCP MSS to PMTU of WAN interface */
> !       if( nvram_match("wan_proto", "pppoe") || 
> nvram_match("mtu_enable", "1") )
> !               save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m 
> tcpmss --mss %d: -j TCPMSS "
> !                         "--set-mss %d\n", 
> atoi(nvram_safe_get("wan_mtu"))-39, atoi(nvram_safe_get("wan_mtu"))-40);
> 
>         /* DROP packets for PPTP pass through. */
>         if (nvram_match("pptp_pass", "0"))
> --- 1182,1204 ----
>         save2file("-A FORWARD -m state --state INVALID -j DROP\n");
> 
>         /* Clamp TCP MSS to PMTU of WAN interface */
> ! #ifdef HAVE_PPTPD
> !       #define IP_OVERHEAD     40
> !       #define PPTP_OVERHEAD   108
> !       int mtu, mss;
> !
> !       if( nvram_match("mtu_enable", "1") )
> !               mtu = atoi(nvram_safe_get("wan_mtu"));
> !       else
> !               mtu = 1500;
> !       /* adjust for tunneling overhead (mtu - 40 byte IP - tunnel 
> overhead) */
> !       mss = mtu - IP_OVERHEAD - PPTP_OVERHEAD;
> !       save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss 
> --mss %d: -j TCPMSS --set-mss %d\n",
> !                 mss-1, mss);
> ! #else
> !       /* sets mss to mtu - 40 */
> !       save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
> --clamp-mss-to-pmtu\n");
> ! #endif
> 
>         /* DROP packets for PPTP pass through. */
>         if (nvram_match("pptp_pass", "0"))
> 
> The non PPTPD part provides a a better and simpler form  of what was 
> originally there and the PPTPD part takes into account the additional 
> overhead of the tunnel. BTW the original rule also requires the TCPMSS 
> target to be configed in the kernel. So if that rule was included 
> without the change to the kernel config, it would not function.
> 
> Tom Goetz
tom at goetz-family.org
-- 
Irving Popovetsky               Information Security Consultant
ProStructure Consulting             http://www.prostructure.com
Network and Security Consulting           phone: (503) 288-1566

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://portless.net/pipermail/ewrt-devel/attachments/20040610/191ad8f5/attachment.bin