On Mon, Jan 10, 2011 at 01:03:39PM -0600, richardvo...@gmail.com wrote:
On Mon, Jan 10, 2011 at 1:01 PM, richardvo...@gmail.com
richardvo...@gmail.com wrote:
On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert
kaffeemons...@googlemail.com wrote:
2011/1/10 andu novac novac.a...@gmail.com:
You're welcome. However you would not say nice crystal ball if you
saw
the scratch marks it leaves on the furniture ;)
Furniture is replaceable, I'd say it's worth it :)
But since your furniture may be of value...
Someone already solved this quite nicely, look at the iptables manpage:
This is fantastic if you must control stuff centrally. But it will result
in every outgoing packet getting fragmented. Reducing the mtu on the client
avoids that.
Oh nevermind, it affect the TCP option negotiation, so it causes the client
to send smaller packets. So it is a general solution for TCP (and only
TCP). For UDP, the mtu still needs to be reduced at the client.
Reducing the mtu on the client side will also mean they'll use this mtu
for local traffic which isn't usually a good idea (performance wise:
lower speed, higher cpu usage).
TCPMSS
This target allows to alter the MSS value of TCP SYN packets,
to control the maximum size for that connection (usually lim‐
iting it to your outgoing interface's MTU minus 40 for IPv4
or 60 for IPv6, respectively). Of course, it can only be used
in conjunction with -p tcp. It is only valid in the mangle table.
This target is used to overcome criminally braindead ISPs or
servers which block ICMP Fragmentation Needed or ICMPv6
Packet Too Big packets. The symptoms of this problem are
that everything works fine from your Linux firewall/router, but
machines behind it can never exchange large packets:
1) Web browsers connect, then hang with no data received.
2) Small mail works fine, but large emails hang.
3) ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your
firewall configuration like:
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
-j TCPMSS --clamp-mss-to-pmtu
--set-mss value
Explicitly sets MSS option to specified value. If the
MSS of the packet is already lower than value, it will not be
increased (from Linux 2.6.25 onwards) to avoid more
problems with hosts relying on a proper MSS.
--clamp-mss-to-pmtu
Automatically clamp MSS value to (path_MTU - 40 for
IPv4; -60 for IPv6). This may not function as desired where
asymmetric routes with differing path MTU exist — the
kernel uses the path MTU which it would use to send packets
from itself to the source and destination IP
addresses. Prior to Linux 2.6.25, only the path MTU to the destination
IP address was considered by this option; subsequent
kernels also consider the path MTU to the source IP address.
These options are mutually exclusive
Greetings
Jan
--
Murphy's Law of Combat
Rule #3: Never forget that your weapon was manufactured by the
lowest bidder
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss