Re: clearing dont-fragment bit

[Abraham van der Merwe <abz@frogfoot.net>]

Hi Ralf                                          >@2003.10.09_19:12:51_+0200

> > > > Are there any iptables extensions out there that allow you to clear the DF
> > > > (Dont Fragment) bit in ip headers?
> > > If you clear the DF-Bit and use Linux on either side of the tunnel where
> > > the packets are fragmented you are in deep trouble, because Linux 2.4
> > > (when using PMTU) not only sets the DF-Bit but also clears the IP-ID
> > > which is needed to defragment the packets again. So, when clearing the
> > > DF-Bit you have to ensure unique numbers in the IP-ID field, too.
> > 
> > Surely if I clear the DF-bit in the mangle table then the ipstack should
> > only defragment the packet later on when it made a routing decision and
> > decided over which interface to send the packet(s) and set the IP-ID fields
> > and MF-bit accordingly?
> Usually the IP-ID field is set by the sender and not by the router
> fragmenting the packet. You have to set the IP-ID field and clear the
> DF-Bit at the same time. 

Yes, I know, but as long as all the fragments have unique ids it shouldn't
matter. Also, if the packet is fragmented along the way under normal
circumstances (i.e. DF=0), then the IP-ID field would have to be incremented
by the router fragmenting the packet.

Have a look at this: http://www.cisco.com/warp/public/105/56.html

On IOS you can clear the DF-bit and Cisco actually recommends it for this
particular problem so as long as IP-ID is unique for the fragments (which
should be the case) I don't see any problems doing it on Linux other than
degraded performance.

-- 

Regards
 Abraham

Why is it taking so long for her to bring out all the good in you?

___________________________________________________
 Abraham vd Merwe - Frogfoot Networks CC
 9 Kinnaird Court, 33 Main Street, Newlands, 7700
 Phone: +27 21 686 1665 Cell: +27 82 565 4451
 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net