[Ewrt-devel] Configuration
Irving Popovetsky
Thu Jun 10 15:43:35 PDT 2004
This patch looks better than the one I made. I had
CONFIG_IP_NF_TARGET_TCPMSS set but had not touched
CONFIG_IP_NF_MATCH_TCPMSS.
I would like to include this patch in Ewrt. Have you tested it in
either a pptp or PPPoE scenario?
-Irving
On Thu, 2004-06-10 at 06:57, Tom Goetz wrote:
> Irving Popovetsky wrote:
>
> >Hi Tom,
> >
> >On Wed, 2004-06-09 at 05:34, Tom Goetz wrote:
> >
> >
> >>There are two competing configuration systems for the router.
> >>src/cy_config.mak and make menuconfig in src/router. Both define
> >>CONFIG_* variables. I would like to move variables that EWRT will allow
> >>configuration changes to from cy_config.mak into the menuconfig system.
> >>This would allow building of various flavors of EWRT with a make
> >>menuconfig in src/router alone.
> >>
> >>What do you think?
> >>
> >>
> >
> >You're right, it is somewhat convoluted. I haven't really used the
> >supplied conf/mconf tool. cy_conf.mak is included by lots of makefiles
> >and seems to lay out the default variables (which are then overridden?)
> >but I never really touch that either.
> >
> >Do you think you could get the menuconfig tool to do something useful?
> >If not, I'm thinking about just removing it.
> >
> >
> >
> >
> I think menuconfig offers a little more value if a broad group of people
> are building. If its just a core group of developers, than it offers no
> extra value. The extra value is in the text explanations attached to the
> config value in the menu. If your moving towards just using
> cy_config.mak I can move my new config options and any options that just
> appear in router/.config into cy_config.mak.
>
> I've also been working on a fix to path mtu issues. Here's a patch
> relative to ewrt/src :
>
> Index: Linux/Linux/.config
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/linux/linux/.config,v
> retrieving revision 1.1.1.1
> diff -c -r1.1.1.1 .config
> *** linux/linux/.config 24 Mar 2004 00:08:47 -0000 1.1.1.1
> --- linux/linux/.config 10 Jun 2004 13:52:01 -0000
> ***************
> *** 311,317 ****
> # CONFIG_IP_NF_MATCH_AH_ESP is not set
> # CONFIG_IP_NF_MATCH_LENGTH is not set
> # CONFIG_IP_NF_MATCH_TTL is not set
> ! # CONFIG_IP_NF_MATCH_TCPMSS is not set
> # CONFIG_IP_NF_MATCH_HELPER is not set
> CONFIG_IP_NF_MATCH_STATE=y
> # CONFIG_IP_NF_MATCH_CONNTRACK is not set
> --- 311,317 ----
> # CONFIG_IP_NF_MATCH_AH_ESP is not set
> # CONFIG_IP_NF_MATCH_LENGTH is not set
> # CONFIG_IP_NF_MATCH_TTL is not set
> ! CONFIG_IP_NF_MATCH_TCPMSS=y
> # CONFIG_IP_NF_MATCH_HELPER is not set
> CONFIG_IP_NF_MATCH_STATE=y
> # CONFIG_IP_NF_MATCH_CONNTRACK is not set
> Index: router/rc/firewall.c
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/router/rc/firewall.c,v
> retrieving revision 1.2
> diff -c -r1.2 firewall.c
> *** router/rc/firewall.c 21 Apr 2004 20:28:15 -0000 1.2
> --- router/rc/firewall.c 10 Jun 2004 13:52:02 -0000
> ***************
> *** 1182,1190 ****
> save2file("-A FORWARD -m state --state INVALID -j DROP\n");
>
> /* Clamp TCP MSS to PMTU of WAN interface */
> ! if( nvram_match("wan_proto", "pppoe") ||
> nvram_match("mtu_enable", "1") )
> ! save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m
> tcpmss --mss %d: -j TCPMSS "
> ! "--set-mss %d\n",
> atoi(nvram_safe_get("wan_mtu"))-39, atoi(nvram_safe_get("wan_mtu"))-40);
>
> /* DROP packets for PPTP pass through. */
> if (nvram_match("pptp_pass", "0"))
> --- 1182,1204 ----
> save2file("-A FORWARD -m state --state INVALID -j DROP\n");
>
> /* Clamp TCP MSS to PMTU of WAN interface */
> ! #ifdef HAVE_PPTPD
> ! #define IP_OVERHEAD 40
> ! #define PPTP_OVERHEAD 108
> ! int mtu, mss;
> !
> ! if( nvram_match("mtu_enable", "1") )
> ! mtu = atoi(nvram_safe_get("wan_mtu"));
> ! else
> ! mtu = 1500;
> ! /* adjust for tunneling overhead (mtu - 40 byte IP - tunnel
> overhead) */
> ! mss = mtu - IP_OVERHEAD - PPTP_OVERHEAD;
> ! save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss
> --mss %d: -j TCPMSS --set-mss %d\n",
> ! mss-1, mss);
> ! #else
> ! /* sets mss to mtu - 40 */
> ! save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu\n");
> ! #endif
>
> /* DROP packets for PPTP pass through. */
> if (nvram_match("pptp_pass", "0"))
>
> The non PPTPD part provides a a better and simpler form of what was
> originally there and the PPTPD part takes into account the additional
> overhead of the tunnel. BTW the original rule also requires the TCPMSS
> target to be configed in the kernel. So if that rule was included
> without the change to the kernel config, it would not function.
>
> Tom Goetz
tom at goetz-family.org
--
Irving Popovetsky Information Security Consultant
ProStructure Consulting http://www.prostructure.com
Network and Security Consulting phone: (503) 288-1566
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://portless.net/pipermail/ewrt-devel/attachments/20040610/191ad8f5/attachment.bin
More information about the Ewrt-devel mailing list