* clampmss only partially working on 2.6 kernelmode pppoe?
@ 2005-02-12 6:41 Joris
2005-02-12 14:08 ` Jason Opperisano
0 siblings, 1 reply; 4+ messages in thread
From: Joris @ 2005-02-12 6:41 UTC (permalink / raw)
To: netfilter
Hi,
I have linux 2.6.11-rc2 masquerading a pppoe connection (mtu: 1492)
trough the kernel mode pppoe implementation.
I loaded the ipt_tcpmss and ipt_TCPMSS (what's the difference?) kernel
modules, and have the following iptables rule running:
iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
Most internet hosts seem to be ok, but (don't laugh, it's for a family
member's fade-out only!) hotmail still is a pita. (to be specific:
after logging in, the inbox page served by
by18fd.bay18.hotmail.msn.com never gets trough). Some hotmail submit
Has someone experienced something similar?
Is there a more precise test method (eg, sending a packet of a certain
size to a certain host or something, or is there something specific I
could look for in a network dump?)
Any suggestions on how this could work?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: clampmss only partially working on 2.6 kernelmode pppoe?
2005-02-12 6:41 clampmss only partially working on 2.6 kernelmode pppoe? Joris
@ 2005-02-12 14:08 ` Jason Opperisano
2005-02-12 14:14 ` Jason Opperisano
0 siblings, 1 reply; 4+ messages in thread
From: Jason Opperisano @ 2005-02-12 14:08 UTC (permalink / raw)
To: netfilter
On Sat, 2005-02-12 at 01:41, Joris wrote:
> Hi,
>
>
> I have linux 2.6.11-rc2 masquerading a pppoe connection (mtu: 1492)
> trough the kernel mode pppoe implementation.
>
> I loaded the ipt_tcpmss and ipt_TCPMSS (what's the difference?) kernel
> modules, and have the following iptables rule running:
> iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
> --clamp-mss-to-pmtu
>
> Most internet hosts seem to be ok, but (don't laugh, it's for a family
> member's fade-out only!) hotmail still is a pita. (to be specific:
> after logging in, the inbox page served by
> by18fd.bay18.hotmail.msn.com never gets trough). Some hotmail submit
>
>
> Has someone experienced something similar?
>
> Is there a more precise test method (eg, sending a packet of a certain
> size to a certain host or something, or is there something specific I
> could look for in a network dump?)
tcpdump the external interface of the firewall for icmp type 3 code 4
packets.
keep in mind that "--clamp-mss-to-pmtu" relies on the fact that PMTU
discovery works along the path of your communication--this is not always
a valid assumption these days.
-j
--
"Okay, retrace your steps. Woke up, fought with Marge, ate Guatemalan
insanity peppers, then I... Oh..."
--The Simpsons
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: clampmss only partially working on 2.6 kernelmode pppoe?
2005-02-12 14:08 ` Jason Opperisano
@ 2005-02-12 14:14 ` Jason Opperisano
2005-02-13 7:25 ` Joris
0 siblings, 1 reply; 4+ messages in thread
From: Jason Opperisano @ 2005-02-12 14:14 UTC (permalink / raw)
To: netfilter
On Sat, 2005-02-12 at 09:08, Jason Opperisano wrote:
> tcpdump the external interface of the firewall for icmp type 3 code 4
> packets.
left this part out--the command for that would be:
tcpdump -n -nn -p -i $EXTIF \
'icmp[icmptype] = icmp-unreach and icmp[icmpcode] = 4'
-j
--
"Mr. Simpson, why are you here?
Don't say revenge! Don't say revenge!
Revenge?
That's it! I'm outta here!"
--The Simpsons
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: clampmss only partially working on 2.6 kernelmode pppoe?
2005-02-12 14:14 ` Jason Opperisano
@ 2005-02-13 7:25 ` Joris
0 siblings, 0 replies; 4+ messages in thread
From: Joris @ 2005-02-13 7:25 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
On Sat, 12 Feb 2005 09:14:51 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Sat, 2005-02-12 at 09:08, Jason Opperisano wrote:
> keep in mind that "--clamp-mss-to-pmtu" relies on the fact that PMTU
> discovery works along the path of your communication--this is not always
> a valid assumption these days.
Hmmmkay, but then why does it also not work when I manually set the
mss, even to silly low settings like 500?
iptables -I FORWARD -o ppp0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS
--set-mss 1300
Perhaps I'm looking in a totally wrong direction to find the cause?
When I reduce the mtu of the masqueraded host (on the local network)
to the mtu of the ppp connection, all problems disappear. (and no,
that's no real solution ;)
> tcpdump -n -nn -p -i $EXTIF \
> 'icmp[icmptype] = icmp-unreach and icmp[icmpcode] = 4'
This does not match a single packet while testing the login.
I've done a tcpdump (-s0 -w), it's available at http://et.yi.org/hotmail.dump
Ethereal claims "unassembled packet" serveral times, but that may or
may not have anything to do with this problem, it doesn't seem
uncommon with ssl data.
Friendly greetings,
Joris
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-02-13 7:25 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-02-12 6:41 clampmss only partially working on 2.6 kernelmode pppoe? Joris
2005-02-12 14:08 ` Jason Opperisano
2005-02-12 14:14 ` Jason Opperisano
2005-02-13 7:25 ` Joris
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.