From: Myles Uyema myles@puck.nether.net
To: lartc@vger.kernel.org
Subject: [LARTC] fwmark+iproute2 routing policy, CIPE, tcpmss woes
Date: Sun, 18 Feb 2001 15:52:45 +0000 [thread overview]
Message-ID: <marc-lartc-98373940417032@msgid-missing> (raw)
<PRE>CIPE between two Linux systems on the Internet has been established.
Now I want to route all tcp traffic between the two linux systems over
the CIPE tunnel, so I've set up fwmark and iproute2 policies.
However, the TCPMSS rule only applies to SYN packets. I'm able to
set the TCPMSS to 1400 for client TCP connections, but on the server,
the kernel message "sending pkt_too_big to self" repeatedly gets
logged, and tcp connections constantly get hung.
CIPE address Internet IP
192.168.250.33 209.249.19.46 linux-dsl
192.168.250.34 65.0.152.158 athome
Commands run on "athome" (relevant sections reversed on "linux-dsl")
echo 201 >> /etc/iproute2/rt_tables cipe0.vpn
iptables -t mangle -A OUTPUT -p tcp --syn -j TCPMSS --set-mss 1460
iptables -t mangle -A OUTPUT -p tcp -d 209.249.19.46 -j MARK --set-mark 1
ip rule add fwmark 1 table cipe0.vpn
ip route add default via 192.168.250.34 dev cipcb0 table cipe0.vpn
Here's a snippet from "tcpdump -ni cipcb0 tcp port 25"
Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket
tcpdump: listening on cipcb0
12:15:58.996627 > 65.0.152.158.10046 > 209.249.19.46.smtp: S 2412475983:2412475983(0) win 5840 <mss 1400,sackOK,timestamp 817624 0,nop,wscale 0> (DF)
12:16:01.991788 > 65.0.152.158.10046 > 209.249.19.46.smtp: S 2412475983:2412475983(0) win 5840 <mss 1400,sackOK,timestamp 817924 0,nop,wscale 0> (DF)
12:16:02.011327 < 209.249.19.46.smtp > 65.0.152.158.10046: S 2416837938:2416837938(0) ack 2412475984 win 5792 <mss 1460,sackOK,timestamp 40493706 817624,nop,wscale 0> (DF)
12:16:02.011445 > 65.0.152.158.10046 > 209.249.19.46.smtp: . 1:1(0) ack 1 win 5840 <nop,nop,timestamp 817925 40493706> (DF)
12:16:02.039513 < 209.249.19.46.smtp > 65.0.152.158.10046: P 1:62(61) ack 1 win 5792 <nop,nop,timestamp 40493709 817925> (DF)
12:16:02.039591 > 65.0.152.158.10046 > 209.249.19.46.smtp: . 1:1(0) ack 62 win 5840 <nop,nop,timestamp 817928 40493709> (DF)
12:16:02.059384 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 1:38(37) ack 62 win 5840 <nop,nop,timestamp 817930 40493709> (DF)
12:16:02.093587 < 209.249.19.46.smtp > 65.0.152.158.10046: . 62:62(0) ack 38 win 5792 <nop,nop,timestamp 40493714 817930> (DF)
12:16:02.096197 < 209.249.19.46.smtp > 65.0.152.158.10046: P 62:238(176) ack 38 win 5792 <nop,nop,timestamp 40493714 817930> (DF)
12:16:02.096603 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 38:44(6) ack 238 win 6500 <nop,nop,timestamp 817934 40493714> (DF)
12:16:02.136428 < 209.249.19.46.smtp > 65.0.152.158.10046: P 238:261(23) ack 44 win 5792 <nop,nop,timestamp 40493717 817934> (DF)
12:16:02.136625 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 44:79(35) ack 261 win 6500 <nop,nop,timestamp 817938 40493717> (DF)
12:16:02.165945 < 209.249.19.46.smtp > 65.0.152.158.10046: P 261:309(48) ack 79 win 5792 <nop,nop,timestamp 40493722 817938> (DF)
12:16:02.166140 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 79:114(35) ack 309 win 6500 <nop,nop,timestamp 817941 40493722> (DF)
12:16:02.191079 < 209.249.19.46.smtp > 65.0.152.158.10046: P 309:362(53) ack 114 win 5792 <nop,nop,timestamp 40493724 817941> (DF)
12:16:02.191251 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 114:120(6) ack 362 win 6500 <nop,nop,timestamp 817943 40493724> (DF)
12:16:02.210254 < 209.249.19.46.smtp > 65.0.152.158.10046: P 362:412(50) ack 120 win 5792 <nop,nop,timestamp 40493726 817943> (DF)
12:16:02.210537 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 120:165(45) ack 412 win 6500 <nop,nop,timestamp 817945 40493726> (DF)
12:16:02.275256 < 209.249.19.46.smtp > 65.0.152.158.10046: . 412:412(0) ack 165 win 5792 <nop,nop,timestamp 40493733 817945> (DF)
Notice how 209.249.19.46 responds with a 1460 TCPMSS. This is too large
when being tunneled through cipcb0. It appears to me that
fwmark+iproute2 policy routing does not honor the gateway device's MTU.
(CIPE tunnel devices have an MTU of 1442).
Can anyone volunteer some suggestions?
</PRE>
reply other threads:[~2001-02-18 15:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-98373940417032@msgid-missing \
--to=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.