Re: [OpenWrt-Devel] MSS clamping in POSTROUTING instead of FORWARD?
I don't see why moving the clamping to POSTROUTING causes the hiding of issues inside openwrt. The example presented by Etienne is perfectly valid and the suggestion to mpve the clamping to the POSTROUTING chain seems the right way to go when you have multiple interfaces that could be used for a packet. I think this could be submitted as a ticket and we could let the developers decide. The other option of course is to add this to only the multiwan package. Ashok On Wed, Feb 22, 2012 at 2:24 PM, Oliver oli...@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa wrote: On Wednesday 22 Feb 2012 10:09:09 Philip Prindeville wrote: I actually don't think that. I'm just pointing out that in corner cases, being overly conservative will increase your chances of success. Correct, but it does so by essentially alleviating the symptom of an underlying problem; since this change would be a great way of hiding any underlying TCP issues inside OpenWRT itself, I'm firmly against this idea - we should fix the root cause of a problem, not its symptoms. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] MSS clamping in POSTROUTING instead of FORWARD?
Le 22/02/2012 04:27, Philip Prindeville a écrit : On 2/21/12 3:21 PM, Oliver wrote: On Tuesday 21 Feb 2012 22:19:19 Etienne Champetier wrote: A plausible example: First default route: optical fiber (MTU 1500) Second default route: pppoe (MTU 1492) (failover link) If the optical fiber goes down, the traffic from the router will pass through the PPPoE link, but with a MSS set to 1500-40 instead of 1492-40 Presuming, for a moment that you are multihomed and actually have the same IP usable on either interface (because, if you don't, your problem isn't the MSS) the correct solution is for the router to drop the oversized packet and send back an ICMP Fragmentation Needed/ICMPv6 Packet Too Big to the original sender who will then reduce the transfer size and sliding window accordingly. TCPMSS is ONLY ever needed for cases where someone criminally braindead is filtering the ICMP mentioned above, as I believe the manpage states. There are also a lot of routers out there that *still* don't do PMTU correct ('still', because I worked on the standard more than 20 years ago). -Philip As i understand it, if you're multihomed (packet load balancing), you need an AS number, BGP ..., so maybe you have the skills to had the clamping you self, and i'm not sure it's very common. The multiwan package is for the case case that you have multiple wan with multiple ip address, to do connexion load balancing What i wanted to do is to put the MSS clamping in POSTROUTING because i see no cons, only pros Etienne Champetier ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] MSS clamping in POSTROUTING instead of FORWARD?
On Tuesday 21 Feb 2012 20:27:19 Philip Prindeville wrote: There are also a lot of routers out there that *still* don't do PMTU correct ('still', because I worked on the standard more than 20 years ago). What we're discussing here is moving TCPMSS such that packets to and from the OpenWRT router itself get MSS clamped - That should in no way be necessary. As the thread starter has already made clear, he seems to think that TCPMSS can somehow make your TCP connection seamlessly switch over to another source address (which of course it can't) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] MSS clamping in POSTROUTING instead of FORWARD?
On 2/22/12 7:59 AM, Oliver wrote: On Tuesday 21 Feb 2012 20:27:19 Philip Prindeville wrote: There are also a lot of routers out there that *still* don't do PMTU correct ('still', because I worked on the standard more than 20 years ago). What we're discussing here is moving TCPMSS such that packets to and from the OpenWRT router itself get MSS clamped - That should in no way be necessary. As the thread starter has already made clear, he seems to think that TCPMSS can somehow make your TCP connection seamlessly switch over to another source address (which of course it can't) I actually don't think that. I'm just pointing out that in corner cases, being overly conservative will increase your chances of success. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] MSS clamping in POSTROUTING instead of FORWARD?
Hello TCPMSS is now (since 28669 28671, 4 month) in the mangle table I know I can fix it but it's the default behaviour of openwrt to break ICMP (by default it only accept ipv4 icmp echo-request on wan) Here a good schema of netfilter to understand (http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) I've found an ugly case (with the multiwan package), when linux doesn't set the mss right. In this case MSS clamping in POSTROUTING solve the problem. Saying you have 2 or more default route (0.0.0.0 mask), it will set the mss to the first default route, the multiwan magic will happen (reroute check part of the schema), and if your packet go out through another wan, the MSS is the one of the first default route. A plausible example: First default route: optical fiber (MTU 1500) Second default route: pppoe (MTU 1492) (failover link) If the optical fiber goes down, the traffic from the router will pass through the PPPoE link, but with a MSS set to 1500-40 instead of 1492-40 There is no problem to clamp from POSTROUTING (iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o br-wan -j TCPMSS --clamp-mss-to-pmtu works well, as stated in the man it only decrease the mss, never increase) To conclude even if it's only for few user, i see only benefits of doing mss clamp in POSTROUTING Le 18/02/2012 22:59, Oliver a écrit : On Saturday 18 Feb 2012 19:32:04 Etienne Champetier wrote: Hello Is there a reason why the MSS clamping is done in FORWARD instead of POSTROUTING ? (it's the exemple in the manpage...) you shouldn't /need/ to clamp the MSS of packets to and from the router unless you're breaking ICMP, in which case, stop breaking ICMP. - also, if I remember rightly, clamping to pmtu isn't possible from the POSTROUTING chain. The only real discrepancy is that TCPMSS should be used in the mangle table, not filter - but fortunately it doesn't usually break anything if you fail to adhere to this. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] MSS clamping in POSTROUTING instead of FORWARD?
Hello Is there a reason why the MSS clamping is done in FORWARD instead of POSTROUTING ? (it's the exemple in the manpage...) I'm asking this question for 2 reasons: -the traffic originating from the router (OUTPUT) is not treated -with the multiwan package (don't know if it's true with every multi wan implementation/technique), the output interface is not definitively set in the FORWARD chain, but it is in POSTROUTING, so if some wans have mss fix and some not, you may not treat the good packets Thanks for your help Etienne Champetier ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] MSS clamping in POSTROUTING instead of FORWARD?
On Saturday 18 Feb 2012 19:32:04 Etienne Champetier wrote: Hello Is there a reason why the MSS clamping is done in FORWARD instead of POSTROUTING ? (it's the exemple in the manpage...) you shouldn't /need/ to clamp the MSS of packets to and from the router unless you're breaking ICMP, in which case, stop breaking ICMP. - also, if I remember rightly, clamping to pmtu isn't possible from the POSTROUTING chain. The only real discrepancy is that TCPMSS should be used in the mangle table, not filter - but fortunately it doesn't usually break anything if you fail to adhere to this. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel