[Ewrt-devel] pmtu patch

• Previous message: [Ewrt-devel] pmtu patch
• Next message: [Ewrt-devel] pmtu patch
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Tom, sorry for the slow response.

It kindof scares me that you're changing the logic to clamp MSS to PMTU
for ALL setups, not just PPPOE/MTU tweaked setups.   Is this okay to
do?  Brandy?

Another question:  for that ip-up function in pptpd.c you change the MSS
again.  If it has already been set to --clamp-mss-to-pmtu, does that
rule need to be flushed first or will it gracefully override?

-Irving


On Sun, 2004-06-13 at 12:52, Tom Goetz wrote:
> Here's the final version of my pmtu patch, which clamps the TCP MSS to 
> MTU-40 for all connections and further limits the MSS for PPP 
> connections for the PPTPD server.
> 
> Tom Goetz
> tom at goetz-family.org
> 
> 
> ______________________________________________________________________
> Index: linux/linux/.config
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/linux/linux/.config,v
> retrieving revision 1.1.1.1
> diff -u -r1.1.1.1 .config
> --- linux/linux/.config     24 Mar 2004 00:08:47 -0000      1.1.1.1
> +++ linux/linux/.config     11 Jun 2004 23:02:25 -0000
> @@ -311,7 +311,7 @@
>  # CONFIG_IP_NF_MATCH_AH_ESP is not set
>  # CONFIG_IP_NF_MATCH_LENGTH is not set
>  # CONFIG_IP_NF_MATCH_TTL is not set
> -# CONFIG_IP_NF_MATCH_TCPMSS is not set
> +CONFIG_IP_NF_MATCH_TCPMSS=y
>  # CONFIG_IP_NF_MATCH_HELPER is not set
>  CONFIG_IP_NF_MATCH_STATE=y
>  # CONFIG_IP_NF_MATCH_CONNTRACK is not set
> Index: router/rc/firewall.c
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/router/rc/firewall.c,v
> retrieving revision 1.2
> diff -u -r1.2 firewall.c
> --- router/rc/firewall.c    21 Apr 2004 20:28:15 -0000      1.2
> +++ router/rc/firewall.c    11 Jun 2004 23:02:26 -0000
> @@ -1175,16 +1175,14 @@
>  
>  void filter_forward(void){
>  
> +   /* Clamp TCP MSS to PMTU of WAN interface */
> +   save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu\n");
> +
>     /* Accept the redirect, might be seen as INVALID, packets */
>     save2file("-A FORWARD -i %s -o %s -j ACCEPT\n", lanface, lanface);
>  
>     /* Drop the wrong state, INVALID, packets */
>     save2file("-A FORWARD -m state --state INVALID -j DROP\n");
> -
> -   /* Clamp TCP MSS to PMTU of WAN interface */
> -   if( nvram_match("wan_proto", "pppoe") || nvram_match("mtu_enable", "1") )
> -           save2file("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS "
> -                     "--set-mss %d\n", atoi(nvram_safe_get("wan_mtu"))-39, atoi(nvram_safe_get("wan_mtu"))-40);
>  
>     /* DROP packets for PPTP pass through. */
>     if (nvram_match("pptp_pass", "0")) 
> Index: router/rc/pptpd.c
> ===================================================================
> RCS file: /home/cvs/cvsroot/ewrt/src/router/rc/pptpd.c,v
> retrieving revision 1.1.1.1
> diff -u -r1.1.1.1 pptpd.c
> --- router/rc/pptpd.c       24 Mar 2004 00:10:41 -0000      1.1.1.1
> +++ router/rc/pptpd.c       11 Jun 2004 23:02:26 -0000
> @@ -19,6 +19,7 @@
>  #include 
>  #include 
>  
> +const char iptables[] = "/usr/sbin/iptables";
>  
>  int start_pptpd(void)
>  {
> @@ -69,15 +76,29 @@
>  
>    
>    // Create ip-up and ip-down scripts that are unique to pptpd to avoid interference with pppoe and pptp
> +  #define IP_OVERHEAD     40
> +  #define PPTP_OVERHEAD   108
> +  int mtu, mss;
> +
> +  if( nvram_match("mtu_enable", "1") )
> +    mtu = atoi(nvram_safe_get("wan_mtu"));
> +  else
> +    mtu = 1500;
> +  /* adjust for tunneling overhead (mtu - 40 byte IP - tunnel overhead) */
> +  mss = mtu - IP_OVERHEAD - PPTP_OVERHEAD;
>    fp = fopen("/tmp/pptpd/ip-up","w");
>    fprintf(fp, "#!/bin/sh\n"
> -              "/usr/sbin/iptables -I INPUT -i $1 -j ACCEPT\n"
> -              "/usr/sbin/iptables -I FORWARD -i $1 -j ACCEPT\n");
> +              "%s -I FORWARD -i $1 -tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS --set-mss %d\n"
> +              "%s -I INPUT -i $1 -j ACCEPT\n"
> +              "%s -I FORWARD -i $1 -j ACCEPT\n",
> +              iptables, mss+1, mss, iptables, iptables);
>    fclose(fp);
>    fp = fopen("/tmp/pptpd/ip-down","w");
>    fprintf(fp, "#!/bin/sh\n"
> -              "/usr/sbin/iptables -D INPUT -i $1 -j ACCEPT\n"
> -              "/usr/sbin/iptables -D FORWARD -i $1 -j ACCEPT\n");
> +              "%s -D FORWARD -i $1 -tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS --set-mss %d\n"
> +              "%s -D INPUT -i $1 -j ACCEPT\n"
> +              "%s -D FORWARD -i $1 -j ACCEPT\n",
> +              iptables, mss+1, mss, iptables, iptables);
>    fclose(fp);
>    chmod("/tmp/pptpd/ip-up", 0755);
>    chmod("/tmp/pptpd/ip-down", 0755);
> @@ -106,7 +127,6 @@
>    return ret;
>  }
>  
> -
>  int pptpd_main(int argc, char **argv)
>  {
>  
> @@ -129,3 +149,4 @@
>      }
>     
>  }
> +
> 
> ______________________________________________________________________
> _______________________________________________
> Ewrt-devel mailing list
> Ewrt-devel at portless.net
> http://strongbad.prostructure.com/mailman/listinfo/ewrt-devel
-- 
-Irving Popovetsky
ProStructure Consulting             http://www.prostructure.com
Network and Security Consulting           phone: (503) 288-1566
               "Crafting Connectivity that Matters"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://portless.net/pipermail/ewrt-devel/attachments/20040621/11d6887b/attachment-0001.bin

• Previous message: [Ewrt-devel] pmtu patch
• Next message: [Ewrt-devel] pmtu patch
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]