On Wed, 22 Nov 2006, Per Jessen wrote:
Roberto Nibali wrote:
iptables -I OUTPUT -p tcp --tcp-flags SYN,RST,ACK SYN,ACK -j
TCPMSS --clamp-mss-to-pmtu
All,
is there any possibility, even the slightest, that the change above
could cause corruption in emails (with e.g. Word or PDF attachments)
?
Yes, there's always a chance. You check for SYN/ACK flags and clamp
mss there, probably killing fragmented packets (which could be
generated with such things like Word or PDF attachments). I would need
to take a deeper look at what you've created this time :).
OK, slight change - I'm now using the following on the real servers:
iptables -I OUTPUT -s 10.0.0.0/8 -p tcp --tcp-flags SYN,RST SYN
-j TCPMSS --set-mss 1440
Where and when is the mss normally determined and set? (I have no idea.)
Just thinking out loud here... The mss depends on the MTU right? The MTU
depends on the interface, and which interface the packet will be routed
through is unknown untill the the routing stage. Which is _after_ the
OUTPUT chain. So I always clamped it in the POSTROUTING chain... also the
mangle table feels more appropriate (also filter is not available in
POSTROUTING). This always worked for me:
iptables -t mangle -A PREROUTING -p tcp -i eth0 --tcp-flags SYN,RST SYN -m
tcpmss --mss 1440: -j TCPMSS --set-mss 1440
Any way that this would cause corruption of an email? (the 10.0.0.0/8
network is only used by my IPIP tunnels). The MSS negotiation happens
at session setup, so ....
All I can offer is: I've used the above rule for ages without any problem
such problems, not in any lvs setup thought.
Regards,
Mark.
|