[Dnsmasq-discuss] dnsmasq + nat(solved)
novac.andu at gmail.com
Mon Jan 10 19:14:51 GMT 2011
That's almost too elegant for me :) Nice!
On Mon, Jan 10, 2011 at 8:53 PM, Jan Seiffert
<kaffeemonster at googlemail.com> wrote:
> 2011/1/10 andu novac <novac.andu at gmail.com>:
>>> You're welcome. However you would not say "nice crystal ball" if you saw
>>> the scratch marks it leaves on the furniture ;)
>> Furniture is replaceable, I'd say it's worth it :)
> But since your furniture may be of value...
> Someone already solved this quite nicely, look at the iptables manpage:
> This target allows to alter the MSS value of TCP SYN packets,
> to control the maximum size for that connection (usually lim‐
> iting it to your outgoing interface's MTU minus 40 for IPv4
> or 60 for IPv6, respectively). Of course, it can only be used
> in conjunction with -p tcp. It is only valid in the mangle table.
> This target is used to overcome criminally braindead ISPs or
> servers which block "ICMP Fragmentation Needed" or "ICMPv6
> Packet Too Big" packets. The symptoms of this problem are
> that everything works fine from your Linux firewall/router, but
> machines behind it can never exchange large packets:
> 1) Web browsers connect, then hang with no data received.
> 2) Small mail works fine, but large emails hang.
> 3) ssh works fine, but scp hangs after initial handshaking.
> Workaround: activate this option and add a rule to your
> firewall configuration like:
> iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
> -j TCPMSS --clamp-mss-to-pmtu
> --set-mss value
> Explicitly sets MSS option to specified value. If the
> MSS of the packet is already lower than value, it will not be
> increased (from Linux 2.6.25 onwards) to avoid more
> problems with hosts relying on a proper MSS.
> Automatically clamp MSS value to (path_MTU - 40 for
> IPv4; -60 for IPv6). This may not function as desired where
> asymmetric routes with differing path MTU exist — the
> kernel uses the path MTU which it would use to send packets
> from itself to the source and destination IP
> addresses. Prior to Linux 2.6.25, only the path MTU to the destination
> IP address was considered by this option; subsequent
> kernels also consider the path MTU to the source IP address.
> These options are mutually exclusive
> Murphy's Law of Combat
> Rule #3: "Never forget that your weapon was manufactured by the
> lowest bidder"
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
More information about the Dnsmasq-discuss