<br><br><div class="gmail_quote">On Mon, Jan 10, 2011 at 1:01 PM, <a href="mailto:richardvoigt@gmail.com">richardvoigt@gmail.com</a> <span dir="ltr"><<a href="mailto:richardvoigt@gmail.com">richardvoigt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br><br><div class="gmail_quote"><div class="im">On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert <span dir="ltr"><<a href="mailto:kaffeemonster@googlemail.com" target="_blank">kaffeemonster@googlemail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2011/1/10 andu novac <<a href="mailto:novac.andu@gmail.com" target="_blank">novac.andu@gmail.com</a>>:<br>
<div>>> You're welcome. However you would not say "nice crystal ball" if you saw<br>
>> the scratch marks it leaves on the furniture ;)<br>
><br>
> Furniture is replaceable, I'd say it's worth it :)<br>
><br>
<br>
</div>But since your furniture may be of value...<br>
Someone already solved this quite nicely, look at the iptables manpage:<br></blockquote><div><br></div></div><div>This is fantastic if you must control stuff centrally. But it will result in every outgoing packet getting fragmented. Reducing the mtu on the client avoids that.</div>
</div></blockquote><div><br></div><div>Oh nevermind, it affect the TCP option negotiation, so it causes the client to send smaller packets. So it is a general solution for TCP (and only TCP). For UDP, the mtu still needs to be reduced at the client.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div class="gmail_quote"><div><div></div><div class="h5">
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
TCPMSS<br>
This target allows to alter the MSS value of TCP SYN packets,<br>
to control the maximum size for that connection (usually lim‐<br>
iting it to your outgoing interface's MTU minus 40 for IPv4<br>
or 60 for IPv6, respectively). Of course, it can only be used<br>
in conjunction with -p tcp. It is only valid in the mangle table.<br>
This target is used to overcome criminally braindead ISPs or<br>
servers which block "ICMP Fragmentation Needed" or "ICMPv6<br>
Packet Too Big" packets. The symptoms of this problem are<br>
that everything works fine from your Linux firewall/router, but<br>
machines behind it can never exchange large packets:<br>
1) Web browsers connect, then hang with no data received.<br>
2) Small mail works fine, but large emails hang.<br>
3) ssh works fine, but scp hangs after initial handshaking.<br>
Workaround: activate this option and add a rule to your<br>
firewall configuration like:<br>
<br>
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN<br>
-j TCPMSS --clamp-mss-to-pmtu<br>
<br>
--set-mss value<br>
Explicitly sets MSS option to specified value. If the<br>
MSS of the packet is already lower than value, it will not be<br>
increased (from Linux 2.6.25 onwards) to avoid more<br>
problems with hosts relying on a proper MSS.<br>
<br>
--clamp-mss-to-pmtu<br>
Automatically clamp MSS value to (path_MTU - 40 for<br>
IPv4; -60 for IPv6). This may not function as desired where<br>
asymmetric routes with differing path MTU exist — the<br>
kernel uses the path MTU which it would use to send packets<br>
from itself to the source and destination IP<br>
addresses. Prior to Linux 2.6.25, only the path MTU to the destination<br>
IP address was considered by this option; subsequent<br>
kernels also consider the path MTU to the source IP address.<br>
<br>
These options are mutually exclusive<br>
<br>
<br>
Greetings<br>
Jan<br>
<font color="#888888"><br>
--<br>
Murphy's Law of Combat<br>
Rule #3: "Never forget that your weapon was manufactured by the<br>
lowest bidder"<br>
</font><div><div></div><div><br>
_______________________________________________<br>
Dnsmasq-discuss mailing list<br>
<a href="mailto:Dnsmasq-discuss@lists.thekelleys.org.uk" target="_blank">Dnsmasq-discuss@lists.thekelleys.org.uk</a><br>
<a href="http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss" target="_blank">http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss</a><br>
</div></div></blockquote></div></div></div><br>
</blockquote></div><br>