Re: [Dnsmasq-discuss] dnsmasq + nat(solved)

[SamLT]

On Mon, Jan 10, 2011 at 01:03:39PM -0600, richardvo...@gmail.com wrote:
 On Mon, Jan 10, 2011 at 1:01 PM, richardvo...@gmail.com 
 richardvo...@gmail.com wrote:
 
 
 
  On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert 
  kaffeemons...@googlemail.com wrote:
 
  2011/1/10 andu novac novac.a...@gmail.com:
   You're welcome.  However you would not say nice crystal ball if you
  saw
   the scratch marks it leaves on the furniture ;)
  
   Furniture is replaceable, I'd say it's worth it :)
  
 
  But since your furniture may be of value...
  Someone already solved this quite nicely, look at the iptables manpage:
 
 
  This is fantastic if you must control stuff centrally.  But it will result
  in every outgoing packet getting fragmented.  Reducing the mtu on the client
  avoids that.
 
 
 Oh nevermind, it affect the TCP option negotiation, so it causes the client
 to send smaller packets.  So it is a general solution for TCP (and only
 TCP).  For UDP, the mtu still needs to be reduced at the client.
 


Reducing the mtu on the client side will also mean they'll use this mtu
for local traffic which isn't usually a good idea (performance wise:
lower speed, higher cpu usage).


 
 
 
 
  TCPMSS
This target allows to alter the MSS value of TCP SYN packets,
  to control the maximum size for that connection (usually  lim‐
iting  it  to your outgoing interface's MTU minus 40 for IPv4
  or 60 for IPv6, respectively).  Of course, it can only be used
in conjunction with -p tcp.  It is only valid in the mangle table.
This target is used to overcome criminally braindead ISPs or
  servers which block  ICMP  Fragmentation  Needed  or  ICMPv6
Packet  Too  Big packets.  The symptoms of this problem are
  that everything works fine from your Linux firewall/router, but
machines behind it can never exchange large packets:
 1) Web browsers connect, then hang with no data received.
 2) Small mail works fine, but large emails hang.
 3) ssh works fine, but scp hangs after initial handshaking.
Workaround: activate this option and add a rule to your
  firewall configuration like:
 
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
-j TCPMSS --clamp-mss-to-pmtu
 
--set-mss value
   Explicitly sets MSS option to specified value. If the
  MSS of the packet is already lower than value, it will  not  be
   increased (from Linux 2.6.25 onwards) to avoid more
  problems with hosts relying on a proper MSS.
 
--clamp-mss-to-pmtu
   Automatically  clamp  MSS  value  to  (path_MTU - 40 for
  IPv4; -60 for IPv6).  This may not function as desired where
   asymmetric routes with differing path MTU exist — the
  kernel uses the path MTU which it would  use  to  send  packets
   from  itself  to the source and destination IP
  addresses. Prior to Linux 2.6.25, only the path MTU to the destination
   IP address was considered by this option; subsequent
  kernels also consider the path MTU to the source IP address.
 
These options are mutually exclusive
 
 
  Greetings
  Jan
 
  --
  Murphy's Law of Combat
  Rule #3: Never forget that your weapon was manufactured by the
  lowest bidder
 
  ___
  Dnsmasq-discuss mailing list
  Dnsmasq-discuss@lists.thekelleys.org.uk
  http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
 
 
 

 ___
 Dnsmasq-discuss mailing list
 Dnsmasq-discuss@lists.thekelleys.org.uk
 http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

[Dnsmasq-discuss] OT: Network analysis tools

[Rance Hall]

I know this is Off Topic for this list, but I need help, and this is
likely a good place to find people who understand the problem well
enough to provide some hints.


This is a research project for my Masters Degree.

I'm setting up a virtual network with VDE and connecting vms to it
with VirtualBox

I'm using wirefilter to poison the logical cables between virtual VDE
switches and I'm using wireshark to detect the force-fed faults.

All seems to be working as far as I've tested it.

I need help finding research grade documentation for the faults.

so far I'm sourcing the software manuals for the various software
products and I'm using and some RFCs

It would be nice if I could find something that (preferably published
in a journal or a conference) discussed the network related problems
associated with too much packet loss, or duplicate packets or noise.

Any help appreciated.

Rance

Re: [Dnsmasq-discuss] dnsmasq + nat(solved)

[richardvo...@gmail.com]

On Mon, Jan 10, 2011 at 11:50 PM, SamLT samuel.leth...@intelunix.fr wrote:

 On Mon, Jan 10, 2011 at 01:03:39PM -0600, richardvo...@gmail.com wrote:
  On Mon, Jan 10, 2011 at 1:01 PM, richardvo...@gmail.com 
  richardvo...@gmail.com wrote:
 
  
  
   On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert 
   kaffeemons...@googlemail.com wrote:
  
   2011/1/10 andu novac novac.a...@gmail.com:
You're welcome.  However you would not say nice crystal ball if
 you
   saw
the scratch marks it leaves on the furniture ;)
   
Furniture is replaceable, I'd say it's worth it :)
   
  
   But since your furniture may be of value...
   Someone already solved this quite nicely, look at the iptables
 manpage:
  
  
   This is fantastic if you must control stuff centrally.  But it will
 result
   in every outgoing packet getting fragmented.  Reducing the mtu on the
 client
   avoids that.
  
 
  Oh nevermind, it affect the TCP option negotiation, so it causes the
 client
  to send smaller packets.  So it is a general solution for TCP (and only
  TCP).  For UDP, the mtu still needs to be reduced at the client.
 


 Reducing the mtu on the client side will also mean they'll use this mtu
 for local traffic which isn't usually a good idea (performance wise:
 lower speed, higher cpu usage).



That's true, but it's a disproportionate cost.  You have to decide between a
3% increase in packet count on local connections vs a 100% increase in
packet count on internet traffic (if things go well and the fragments don't
break things outright).