[Ewrt-devel] pmtu patch

Irving Popovetsky
Wed Jun 23 16:15:10 PDT 2004

The Linux advanced routing and traffic control howto 
(http://lartc.org/howto/index.html) agrees with you:

I will plan on committing this patch tomorrow.


On Mon, 2004-06-21 at 13:51, Tom Goetz wrote:
> Irving Popovetsky wrote:
> >Hi Tom, sorry for the slow response.
> >
> >It kindof scares me that you're changing the logic to clamp MSS to PMTU
> >for ALL setups, not just PPPOE/MTU tweaked setups.   Is this okay to
> >do?  Brandy?
> >
> >Another question:  for that ip-up function in pptpd.c you change the MSS
> >again.  If it has already been set to --clamp-mss-to-pmtu, does that
> >rule need to be flushed first or will it gracefully override?
> >
> >-Irving
> >  
> >
> I think the clamp MSS to PMTU is an improvement for all setups, due to 
> he previlence of blackholes. If the MTU of the WRT54G is the limiting 
> factor in any connection with the presence of a black hole, than TCP 
> connections will fail. The firewall clamping MSS to PMTU replaces the 
> desired, but not functioning PMTU discovery process. ISPs not allowing 
> ICMPs to transit seems to becoming a common thing. Perhaps making this a 
> configurable option or limiting it to firewall/router configs might suit 
> you better.
> It's my understanding that firewall rules are processed in order. The 
> PPTPD rule is inserted above the original rule. Therefore it has 
> precidence. This addressed a probelm I had while using PPTP to VPN into 
> my home netwrok from work.
> By the way there was still a bug in that version.
> "%s -I FORWARD -i $1 -tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS --set-mss %d\n"
> should be
> "%s -I FORWARD -i $1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: 
> -j TCPMSS --set-mss %d\n"
> And in my current configuration, I have removed the -i partand made the 
> rule global.
> My current modified EWRT firmware is working well for me as a VPN 
> router. I haven't made any further changes to it in a week or two. I'm 
> distracted writing a journal application at the moment.
> -Tom
-Irving Popovetsky
ProStructure Consulting             http://www.prostructure.com
Network and Security Consulting           phone: (503) 288-1566
               "Crafting Connectivity that Matters"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://portless.net/pipermail/ewrt-devel/attachments/20040623/08ebeb71/attachment.bin

More information about the Ewrt-devel mailing list