[Ewrt-devel] pmtu patch
Irving Popovetsky
Wed Jun 23 16:15:10 PDT 2004
The Linux advanced routing and traffic control howto
(http://lartc.org/howto/index.html) agrees with you:
http://lartc.org/howto/lartc.cookbook.mtu-mss.html
I will plan on committing this patch tomorrow.
-Irving
On Mon, 2004-06-21 at 13:51, Tom Goetz wrote:
> Irving Popovetsky wrote:
>
> >Hi Tom, sorry for the slow response.
> >
> >It kindof scares me that you're changing the logic to clamp MSS to PMTU
> >for ALL setups, not just PPPOE/MTU tweaked setups. Is this okay to
> >do? Brandy?
> >
> >Another question: for that ip-up function in pptpd.c you change the MSS
> >again. If it has already been set to --clamp-mss-to-pmtu, does that
> >rule need to be flushed first or will it gracefully override?
> >
> >-Irving
> >
> >
> I think the clamp MSS to PMTU is an improvement for all setups, due to
> he previlence of blackholes. If the MTU of the WRT54G is the limiting
> factor in any connection with the presence of a black hole, than TCP
> connections will fail. The firewall clamping MSS to PMTU replaces the
> desired, but not functioning PMTU discovery process. ISPs not allowing
> ICMPs to transit seems to becoming a common thing. Perhaps making this a
> configurable option or limiting it to firewall/router configs might suit
> you better.
>
> It's my understanding that firewall rules are processed in order. The
> PPTPD rule is inserted above the original rule. Therefore it has
> precidence. This addressed a probelm I had while using PPTP to VPN into
> my home netwrok from work.
>
> By the way there was still a bug in that version.
>
> "%s -I FORWARD -i $1 -tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS --set-mss %d\n"
>
>
> should be
>
>
> "%s -I FORWARD -i $1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d:
> -j TCPMSS --set-mss %d\n"
>
> And in my current configuration, I have removed the -i partand made the
> rule global.
>
> My current modified EWRT firmware is working well for me as a VPN
> router. I haven't made any further changes to it in a week or two. I'm
> distracted writing a journal application at the moment.
>
> -Tom
--
-Irving Popovetsky
ProStructure Consulting http://www.prostructure.com
Network and Security Consulting phone: (503) 288-1566
"Crafting Connectivity that Matters"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://portless.net/pipermail/ewrt-devel/attachments/20040623/08ebeb71/attachment.bin
More information about the Ewrt-devel mailing list