[Ewrt-devel] pmtu patch
Irving Popovetsky
Mon Jun 21 10:56:18 PDT 2004
Hi Tom, sorry for the slow response.
It kindof scares me that you're changing the logic to clamp MSS to PMTU
for ALL setups, not just PPPOE/MTU tweaked setups. Is this okay to
do? Brandy?
Another question: for that ip-up function in pptpd.c you change the MSS
again. If it has already been set to --clamp-mss-to-pmtu, does that
rule need to be flushed first or will it gracefully override?
-Irving
On Sun, 2004-06-13 at 12:52, Tom Goetz wrote:
> Here's the final version of my pmtu patch, which clamps the TCP MSS to
> MTU-40 for all connections and further limits the MSS for PPP
> connections for the PPTPD server.
>
> Tom Goetz
> tom at goetz-family.org
>
>
> ______________________________________________________________________
> Index: linux/linux/.config
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/linux/linux/.config,v
> retrieving revision 1.1.1.1
> diff -u -r1.1.1.1 .config
> --- linux/linux/.config 24 Mar 2004 00:08:47 -0000 1.1.1.1
> +++ linux/linux/.config 11 Jun 2004 23:02:25 -0000
> @@ -311,7 +311,7 @@
> # CONFIG_IP_NF_MATCH_AH_ESP is not set
> # CONFIG_IP_NF_MATCH_LENGTH is not set
> # CONFIG_IP_NF_MATCH_TTL is not set
> -# CONFIG_IP_NF_MATCH_TCPMSS is not set
> +CONFIG_IP_NF_MATCH_TCPMSS=y
> # CONFIG_IP_NF_MATCH_HELPER is not set
> CONFIG_IP_NF_MATCH_STATE=y
> # CONFIG_IP_NF_MATCH_CONNTRACK is not set
> Index: router/rc/firewall.c
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/router/rc/firewall.c,v
> retrieving revision 1.2
> diff -u -r1.2 firewall.c
> --- router/rc/firewall.c 21 Apr 2004 20:28:15 -0000 1.2
> +++ router/rc/firewall.c 11 Jun 2004 23:02:26 -0000
> @@ -1175,16 +1175,14 @@
>
> void filter_forward(void){
>
> + /* Clamp TCP MSS to PMTU of WAN interface */
> + save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
> +
> /* Accept the redirect, might be seen as INVALID, packets */
> save2file("-A FORWARD -i %s -o %s -j ACCEPT\n", lanface, lanface);
>
> /* Drop the wrong state, INVALID, packets */
> save2file("-A FORWARD -m state --state INVALID -j DROP\n");
> -
> - /* Clamp TCP MSS to PMTU of WAN interface */
> - if( nvram_match("wan_proto", "pppoe") || nvram_match("mtu_enable", "1") )
> - save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS "
> - "--set-mss %d\n", atoi(nvram_safe_get("wan_mtu"))-39, atoi(nvram_safe_get("wan_mtu"))-40);
>
> /* DROP packets for PPTP pass through. */
> if (nvram_match("pptp_pass", "0"))
> Index: router/rc/pptpd.c
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/router/rc/pptpd.c,v
> retrieving revision 1.1.1.1
> diff -u -r1.1.1.1 pptpd.c
> --- router/rc/pptpd.c 24 Mar 2004 00:10:41 -0000 1.1.1.1
> +++ router/rc/pptpd.c 11 Jun 2004 23:02:26 -0000
> @@ -19,6 +19,7 @@
> #include
> #include
>
> +const char iptables[] = "/usr/sbin/iptables";
>
> int start_pptpd(void)
> {
> @@ -69,15 +76,29 @@
>
>
> // Create ip-up and ip-down scripts that are unique to pptpd to avoid interference with pppoe and pptp
> + #define IP_OVERHEAD 40
> + #define PPTP_OVERHEAD 108
> + int mtu, mss;
> +
> + if( nvram_match("mtu_enable", "1") )
> + mtu = atoi(nvram_safe_get("wan_mtu"));
> + else
> + mtu = 1500;
> + /* adjust for tunneling overhead (mtu - 40 byte IP - tunnel overhead) */
> + mss = mtu - IP_OVERHEAD - PPTP_OVERHEAD;
> fp = fopen("/tmp/pptpd/ip-up","w");
> fprintf(fp, "#!/bin/sh\n"
> - "/usr/sbin/iptables -I INPUT -i $1 -j ACCEPT\n"
> - "/usr/sbin/iptables -I FORWARD -i $1 -j ACCEPT\n");
> + "%s -I FORWARD -i $1 -tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS --set-mss %d\n"
> + "%s -I INPUT -i $1 -j ACCEPT\n"
> + "%s -I FORWARD -i $1 -j ACCEPT\n",
> + iptables, mss+1, mss, iptables, iptables);
> fclose(fp);
> fp = fopen("/tmp/pptpd/ip-down","w");
> fprintf(fp, "#!/bin/sh\n"
> - "/usr/sbin/iptables -D INPUT -i $1 -j ACCEPT\n"
> - "/usr/sbin/iptables -D FORWARD -i $1 -j ACCEPT\n");
> + "%s -D FORWARD -i $1 -tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS --set-mss %d\n"
> + "%s -D INPUT -i $1 -j ACCEPT\n"
> + "%s -D FORWARD -i $1 -j ACCEPT\n",
> + iptables, mss+1, mss, iptables, iptables);
> fclose(fp);
> chmod("/tmp/pptpd/ip-up", 0755);
> chmod("/tmp/pptpd/ip-down", 0755);
> @@ -106,7 +127,6 @@
> return ret;
> }
>
> -
> int pptpd_main(int argc, char **argv)
> {
>
> @@ -129,3 +149,4 @@
> }
>
> }
> +
>
> ______________________________________________________________________
> _______________________________________________
> Ewrt-devel mailing list
> Ewrt-devel at portless.net
> http://strongbad.prostructure.com/mailman/listinfo/ewrt-devel
--
-Irving Popovetsky
ProStructure Consulting http://www.prostructure.com
Network and Security Consulting phone: (503) 288-1566
"Crafting Connectivity that Matters"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://portless.net/pipermail/ewrt-devel/attachments/20040621/11d6887b/attachment-0001.bin
More information about the Ewrt-devel mailing list