[Dnsmasq-discuss] dnsmasq + nat(solved)
SamLT
samuel.lethiec at intelunix.fr
Tue Jan 11 05:50:01 GMT 2011
On Mon, Jan 10, 2011 at 01:03:39PM -0600, richardvoigt at gmail.com wrote:
> On Mon, Jan 10, 2011 at 1:01 PM, richardvoigt at gmail.com <
> richardvoigt at gmail.com> wrote:
>
> >
> >
> > On Mon, Jan 10, 2011 at 12:53 PM, Jan Seiffert <
> > kaffeemonster at googlemail.com> wrote:
> >
> >> 2011/1/10 andu novac <novac.andu at gmail.com>:
> >> >> You're welcome. However you would not say "nice crystal ball" if you
> >> saw
> >> >> the scratch marks it leaves on the furniture ;)
> >> >
> >> > Furniture is replaceable, I'd say it's worth it :)
> >> >
> >>
> >> But since your furniture may be of value...
> >> Someone already solved this quite nicely, look at the iptables manpage:
> >>
> >
> > This is fantastic if you must control stuff centrally. But it will result
> > in every outgoing packet getting fragmented. Reducing the mtu on the client
> > avoids that.
> >
>
> Oh nevermind, it affect the TCP option negotiation, so it causes the client
> to send smaller packets. So it is a general solution for TCP (and only
> TCP). For UDP, the mtu still needs to be reduced at the client.
>
Reducing the mtu on the client side will also mean they'll use this mtu
for local traffic which isn't usually a good idea (performance wise:
lower speed, higher cpu usage).
>
> >
> >
> >>
> >> TCPMSS
> >> This target allows to alter the MSS value of TCP SYN packets,
> >> to control the maximum size for that connection (usually lim‐
> >> iting it to your outgoing interface's MTU minus 40 for IPv4
> >> or 60 for IPv6, respectively). Of course, it can only be used
> >> in conjunction with -p tcp. It is only valid in the mangle table.
> >> This target is used to overcome criminally braindead ISPs or
> >> servers which block "ICMP Fragmentation Needed" or "ICMPv6
> >> Packet Too Big" packets. The symptoms of this problem are
> >> that everything works fine from your Linux firewall/router, but
> >> machines behind it can never exchange large packets:
> >> 1) Web browsers connect, then hang with no data received.
> >> 2) Small mail works fine, but large emails hang.
> >> 3) ssh works fine, but scp hangs after initial handshaking.
> >> Workaround: activate this option and add a rule to your
> >> firewall configuration like:
> >>
> >> iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN
> >> -j TCPMSS --clamp-mss-to-pmtu
> >>
> >> --set-mss value
> >> Explicitly sets MSS option to specified value. If the
> >> MSS of the packet is already lower than value, it will not be
> >> increased (from Linux 2.6.25 onwards) to avoid more
> >> problems with hosts relying on a proper MSS.
> >>
> >> --clamp-mss-to-pmtu
> >> Automatically clamp MSS value to (path_MTU - 40 for
> >> IPv4; -60 for IPv6). This may not function as desired where
> >> asymmetric routes with differing path MTU exist — the
> >> kernel uses the path MTU which it would use to send packets
> >> from itself to the source and destination IP
> >> addresses. Prior to Linux 2.6.25, only the path MTU to the destination
> >> IP address was considered by this option; subsequent
> >> kernels also consider the path MTU to the source IP address.
> >>
> >> These options are mutually exclusive
> >>
> >>
> >> Greetings
> >> Jan
> >>
> >> --
> >> Murphy's Law of Combat
> >> Rule #3: "Never forget that your weapon was manufactured by the
> >> lowest bidder"
> >>
> >> _______________________________________________
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>
> >
> >
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list