clampmss only partially working on 2.6 kernelmode pppoe?

clampmss only partially working on 2.6 kernelmode pppoe?

[Joris]

Hi,


I have linux 2.6.11-rc2 masquerading a pppoe connection (mtu: 1492)
trough the kernel mode pppoe implementation.

I loaded the ipt_tcpmss and ipt_TCPMSS (what's the difference?) kernel
modules, and have the following iptables rule running:
iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu

Most internet hosts seem to be ok, but (don't laugh, it's for a family
member's fade-out only!) hotmail still is a pita. (to be specific:
after logging in, the inbox page served by
by18fd.bay18.hotmail.msn.com never gets trough). Some hotmail submit


Has someone experienced something similar?

Is there a more precise test method (eg, sending a packet of a certain
size to a certain host or something, or is there something specific I
could look for in a network dump?)

Any suggestions on how this could work?

Re: clampmss only partially working on 2.6 kernelmode pppoe?

[Jason Opperisano]

On Sat, 2005-02-12 at 01:41, Joris wrote:
> Hi,
> 
> 
> I have linux 2.6.11-rc2 masquerading a pppoe connection (mtu: 1492)
> trough the kernel mode pppoe implementation.
> 
> I loaded the ipt_tcpmss and ipt_TCPMSS (what's the difference?) kernel
> modules, and have the following iptables rule running:
> iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
> --clamp-mss-to-pmtu
> 
> Most internet hosts seem to be ok, but (don't laugh, it's for a family
> member's fade-out only!) hotmail still is a pita. (to be specific:
> after logging in, the inbox page served by
> by18fd.bay18.hotmail.msn.com never gets trough). Some hotmail submit
> 
> 
> Has someone experienced something similar?
> 
> Is there a more precise test method (eg, sending a packet of a certain
> size to a certain host or something, or is there something specific I
> could look for in a network dump?)

tcpdump the external interface of the firewall for icmp type 3 code 4
packets.

keep in mind that "--clamp-mss-to-pmtu" relies on the fact that PMTU
discovery works along the path of your communication--this is not always
a valid assumption these days.

-j

--
"Okay, retrace your steps. Woke up, fought with Marge, ate Guatemalan
 insanity peppers, then I... Oh..."
	--The Simpsons

Re: clampmss only partially working on 2.6 kernelmode pppoe?

[Jason Opperisano]

On Sat, 2005-02-12 at 09:08, Jason Opperisano wrote:
> tcpdump the external interface of the firewall for icmp type 3 code 4
> packets.

left this part out--the command for that would be:

  tcpdump -n -nn -p -i $EXTIF \
    'icmp[icmptype] = icmp-unreach and icmp[icmpcode] = 4'

-j

--
"Mr. Simpson, why are you here?
 Don't say revenge! Don't say revenge!
 Revenge?
 That's it! I'm outta here!"
	--The Simpsons

Re: clampmss only partially working on 2.6 kernelmode pppoe?

[Joris]

On Sat, 12 Feb 2005 09:14:51 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Sat, 2005-02-12 at 09:08, Jason Opperisano wrote:

> keep in mind that "--clamp-mss-to-pmtu" relies on the fact that PMTU
> discovery works along the path of your communication--this is not always
> a valid assumption these days.

Hmmmkay, but then why does it also not work when I manually set the
mss, even to silly low settings like 500?
iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--set-mss 1300

Perhaps I'm looking in a totally wrong direction to find the cause?
When I reduce the mtu of the masqueraded host (on the local network)
to the mtu of the ppp connection, all problems disappear. (and no,
that's no real solution ;)


>   tcpdump -n -nn -p -i $EXTIF \
>     'icmp[icmptype] = icmp-unreach and icmp[icmpcode] = 4'

This does not match a single packet while testing the login.
I've done a tcpdump (-s0 -w), it's available at http://et.yi.org/hotmail.dump
Ethereal claims "unassembled packet" serveral times, but that may or
may not have anything to do with this problem, it doesn't seem
uncommon with ssl data.



Friendly greetings,
Joris