|
Mark de Vries wrote:
>> OK, slight change - I'm now using the following on the real servers:
>>
>> iptables -I OUTPUT -s 10.0.0.0/8 -p tcp --tcp-flags SYN,RST SYN
>> -j TCPMSS --set-mss 1440
>
> Where and when is the mss normally determined and set? (I have no
> idea.)
To the best of my knowledge it happens during the TCP handshake, but I
guess there are some predefined values to start with.
> Just thinking out loud here... The mss depends on the MTU right? The
> MTU depends on the interface, and which interface the packet will be
> routed through is unknown untill the the routing stage. Which is
> _after_ the OUTPUT chain. So I always clamped it in the POSTROUTING
> chain... also the mangle table feels more appropriate (also filter is
> not available in POSTROUTING). This always worked for me:
>
> iptables -t mangle -A PREROUTING -p tcp -i eth0 --tcp-flags SYN,RST
> SYN -m tcpmss --mss 1440: -j TCPMSS --set-mss 1440
But as you're setting a fixed value anyway, the MTU of the interface
makes no difference - maybe this is where I screwed up - I was clamping
the MSS to the PMTU, but in the OUTPUT chain. Now I'm also using a
fixed value, although still in the OUTPUT chain.
I'm curious - in the above, you're also matching on the original MSS
size before you set it, but you're using 1440 for both?
regards,
Per Jessen, Zürich
|
