RE: CIPE 1.5.4 / NAT / iptables issue|
"Mark Smith" <mark.smith,AT,avcosystems,DOT,co,DOT,uk>|
Fri, 11 Jul 2003 18:01:48 +0100|
That bit I understand, and the version of iptables I'm using lets me modify
the real MSS:
iptables -A FORWARD -i eth0 -o cipcb0 -p tcp -m tcp --tcp-flags SYN,RST
SYN -j TCPMSS --clamp-mss-to-pmtu
However, this obviously will only work when it is Linux on the end of the
tunnel. I have the same problem with a Win32 client. What I'm after is why
PMTUD isn't working when it should be. I'd rather fix that than fudge the
MSS, as above.
Mark Smith - Avco Systems Ltd
Tel: +44 (0)1784 430996 Fax: +44 (0)1784 431078
> -----Original Message-----
> From: owner-cipe-l,AT,inka,DOT,de [mailto:owner-cipe-l,AT,inka,DOT,de
> Behalf Of
> Dick St.Peters
> Sent: 11 July 2003 16:30
> To: Mark Smith
> Cc: cipe-l,AT,inka,DOT,de
> Subject: RE: CIPE 1.5.4 / NAT / iptables issue
> Mark Smith writes:
> > I run NAT over CIPE 1.5.4 on 2.4.18 without any apparent
> problem apart from
> > large packets and PMTUD. I'm still hoping that the person
> that suggested
> > using iptables to clamp mss to pmtu can provide more
> information either
> > where they found that out, or if they know, why it works and what it
> > changes.
> I don't think I'm the person who suggested that, but I can
> provide some explanation. At the beginning of a TCP
> session, each end tells the other the largest packet size it
> can send or receive. To see what this implies, it helps to
> consider network diagrams, beginning with a trivial one, two
> hosts A and B directly connected by a network link:
> A <-link-> B
> Both A and B know the largest packet the link will carry
> because they are connected to it. This is true even if the
> link is a virtual link, such as a CIPE tunnel.
> Now advance to a more complex diagram:
> A <-link 1-> X <-link 2-> Y <-link 3-> B
> If link 2 is a virtual link, its maximum packet size will be
> reduced by the tunnel overhead and will be smaller than for
> links 1 and 3. Normally neither A nor B will know that. A
> will only know the largest packet link 1 can carry. B will
> only know the largest packet link 3 can carry.
> However, A and B have to learn about link 2's smaller
> maximum size to talk efficiently. One way for A to learn
> the link 2 size is for the owner/user of A to clamp A's
> maximum packet size to the maximum size for link 2. Then
> when A tells B the maximum size A can send/receive, it will
> give the clamped size, not the link 1 maximum size.
> There's no way to clamp the size with iptables that I know
> of, but you can do it with the Linux route command.
> However, there's an error in the implementation: the "mss"
> route parameter actually sets the MTU, not the MSS.
> Clamping the real MSS to the path MTU would be wrong, but
> clamping what the route command calls mss to the path MTU is
> (MTU is the maximum packet size, MSS is the maximum TCP
> payload size - i.e., MTU minus TCP/IP overhead.)
> Dick St.Peters, stpeters,AT,NetHeaven,DOT,com
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: