Re: [Fwbuilder-discussion] Clamp MSS to MTU
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Clamp MSS to MTU
|
From: Vadim K. ✎ <va...@vk...> - 2008-04-11 20:48:15
|
On Apr 11, 2008, at 1:09 PM, Nicolás López wrote: > Hello Vadim > > > > I think I’ve found a little mistake in the order rules are > placed when using the options “Accept ESTABLISHED and RELATED > packets before the first rule” _and_ “Clamp MSS to MTU”. > > When using those options, the following rules are placed in > this order: > > > > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > > > $IPTABLES -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j > TCPMSS --clamp-mss-to-pmtu > > > > In 99% of the cases this rules order will not be of any trouble > but, for packets going through the _forward_ chain (ie. nated and/ > or routed) which has a _RELATED_ connection (ie. an ftp file > transfer session) the 4th rule will never apply so the tcp SYN or > SYN/ACK packet will go out with the wrong MSS value causing the > connection to freeze. > > To resolve this there are a couple of workarounds or > corrections to be made: > > > > 1 – When the option “Clamp MSS to MTU” is enabled, then > place the 4th rule _always_ before the 3th one. > > 2 – If you don’t want to change the order rules are > placed, then you can write it “$IPTABLES –t mangle -A POSTROUTING - > p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu” > > > this makes sense. Could you open a bug report please ? --vk |
