Re: clearing dont-fragment bit

[Abraham van der Merwe <abz@frogfoot.net>]

Hi Ramin                                         >@2003.10.09_16:43:34_+0200

> > > > Are there any iptables extensions out there that allow you to clear the DF
> > > > (Dont Fragment) bit in ip headers?
> > > AFAIK no. Why would you want to do that?
> > > I think I might write a module that would do that.
> > 
> > I need it for tunnels. In a perfect world that wouldn't be necessary at all,
> > but reality is that there's many brain dead admins that filter icmp, so if
> > you build a tunnel over the big bad internet, you're screwed.
> > 
> > You can use the TCPMSS target which solves it for tcp, but you still have
> > the same problem with udp packets, so imho the only way to solve this
> > properly is to fragment packets even if DF=1.
> 
> The applications that set the DF bit, do so for a reason not just for the
> fun. Sometimes (well, actually most of the time) it's for the performance
> reasons in which case turning it off and having a poor performance is
> preferable than it not working at all. On the other hand, the DF bit would be
> set by the application probes to figure the PMTU. Setting that off on the
> firewall would harm the purpose.

Ideally one would want to leave DF untouched unless a packet with DF=1 is
resent in which case you clear it - that way you solve PMTU probes, but I
suspect this would be overly complicated / resource intensive.

Even better would be if there was a tunnelling protocol that would just take
packets on side A (incl ip headers, galore), chop it up, and reassemble it
on the other side. Unfortunately there is no such thing :P

> Can you come up with a list of the non-TCP-based application protocols that
> would use the PMTU (DF bit)?

Basically any UDP application that sends packets bigger than the maximum
allowed mtu. I would assume TFTP, SNMP, etc. would all get into trouble. I
know that some protocols such as DNS try to stay below 512 bytes payload,
but there is probably a gazillion protocols out there that don't.

-- 

Regards
 Abraham

The meek shall inherit the earth; the rest of us will go to the stars.

___________________________________________________
 Abraham vd Merwe - Frogfoot Networks CC
 9 Kinnaird Court, 33 Main Street, Newlands, 7700
 Phone: +27 21 686 1665 Cell: +27 82 565 4451
 Http: http://www.frogfoot.net/ Email: abz@frogfoot.net