MTU problem

Per Jessen per at computer.org
Wed Nov 22 16:36:59 GMT 2006 

Roberto Nibali wrote:

>>>> iptables -I OUTPUT -p tcp --tcp-flags SYN,RST,ACK SYN,ACK  -j
>>>> TCPMSS --clamp-mss-to-pmtu
>> 
>> All,
>> 
>> is there any possibility, even the slightest, that the change above
>> could cause corruption in emails (with e.g. Word or PDF attachments)
>> ?
> 
> Yes, there's always a chance. You check for SYN/ACK flags and clamp
> mss there, probably killing fragmented packets (which could be
> generated with such things like Word or PDF attachments). I would need
> to take a deeper look at what you've created this time :).

OK, slight change - I'm now using the following on the real servers:

iptables  -I OUTPUT -s 10.0.0.0/8 -p tcp --tcp-flags SYN,RST SYN 
-j TCPMSS --set-mss 1440

Any way that this would cause corruption of an email?  (the 10.0.0.0/8
network is only used by my IPIP tunnels).  The MSS negotiation happens
at session setup, so ....



/Per Jessen, Zürich

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list