OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/net/netfilter
History
Benjamin LaHaise 170080645d [NETFILTER]: xt_TCPMSS: don't allow netfilter --setmss to increase mss 
When terminating DSL connections for an assortment of random customers, I've
found it necessary to use iptables to clamp the MSS used for connections to
work around the various ICMP blackholes in the greater net.  Unfortunately,
the current behaviour in Linux is imperfect and actually make things worse,
so I'm proposing the following: increasing the MSS in a packet can never be
a good thing, so make --set-mss only lower the MSS in a packet.

Yes, I am aware of --clamp-mss-to-pmtu, but it doesn't work for outgoing
connections from clients (ie web traffic), as it only looks at the PMTU on
the destination route, not the source of the packet (the DSL interfaces in
question have a 1442 byte MTU while the destination ethernet interface is
1500 -- there are problematic hosts which use a 1300 byte MTU).  Reworking
that is probably a good idea at some point, but it's more work than this is.

Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
 		2008-01-28 14:58:50 -08:00
..
Kconfig [NETFILTER]: Select CONFIG_NETFILTER_NETLINK when needed 2008-01-28 14:56:25 -08:00
Makefile [NETFILTER]: x_tables: add rateest match 2008-01-28 14:56:03 -08:00
core.c [NETFILTER]: remove annoying debugging message 2008-01-28 14:56:16 -08:00
nf_conntrack_amanda.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_core.c [NETFILTER]: nf_conntrack_ipv4: fix module parameter compatibility 2007-12-26 19:36:33 -08:00
nf_conntrack_ecache.c
nf_conntrack_expect.c [NETFILTER]: Make netfilter code use the seq_open_private 2007-10-10 16:55:34 -07:00
nf_conntrack_extend.c [NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage() 2007-11-15 15:52:32 -08:00
nf_conntrack_ftp.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c [NETFILTER]: nf_ct_h323: remove ipv6 module dependency 2008-01-28 14:56:05 -08:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter endian regressions 2007-07-26 11:11:56 -07:00
nf_conntrack_irc.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_l3proto_generic.c
nf_conntrack_netbios_ns.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_netlink.c [NETFILTER]: Introduce NF_INET_ hook values 2008-01-28 14:53:55 -08:00
nf_conntrack_pptp.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_proto.c
nf_conntrack_proto_generic.c sysctl: remove broken netfilter binary sysctls 2007-10-18 14:37:23 -07:00
nf_conntrack_proto_gre.c [NETFILTER]: ctnetlink: use netlink policy 2007-10-10 16:53:35 -07:00
nf_conntrack_proto_sctp.c sysctl: remove broken netfilter binary sysctls 2007-10-18 14:37:23 -07:00
nf_conntrack_proto_tcp.c [NETFILTER]: Introduce NF_INET_ hook values 2008-01-28 14:53:55 -08:00
nf_conntrack_proto_udp.c [NETFILTER]: Introduce NF_INET_ hook values 2008-01-28 14:53:55 -08:00
nf_conntrack_proto_udplite.c [NETFILTER]: Introduce NF_INET_ hook values 2008-01-28 14:53:55 -08:00
nf_conntrack_sane.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_conntrack_sip.c [NETFILTER]: Spelling fixes 2007-12-20 14:04:24 -08:00
nf_conntrack_standalone.c [NETFILTER]: Make netfilter code use the seq_open_private 2007-10-10 16:55:34 -07:00
nf_conntrack_tftp.c [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_internals.h [NETFILTER]: Replace sk_buff ** with sk_buff * 2007-10-15 12:26:29 -07:00
nf_log.c [NET] NETFILTER: Fix whitespace errors. 2007-07-19 10:44:21 +09:00
nf_queue.c [NETFILTER]: nf_queue: clean up error paths 2008-01-28 14:56:16 -08:00
nf_sockopt.c [NETFILTER]: fix compat_nf_sockopt typo 2007-11-15 14:29:21 -08:00
nf_sysctl.c
nfnetlink.c [NET]: make netlink user -> kernel interface synchronious 2007-10-10 21:15:29 -07:00
nfnetlink_log.c [NETFILTER]: Make netfilter code use the seq_open_private 2007-10-10 16:55:34 -07:00
nfnetlink_queue.c [NETFILTER]: nfnetlink_queue: update copyright 2008-01-28 14:56:23 -08:00
x_tables.c [NETFILTER]: ip_tables: move compat offset calculation to x_tables 2008-01-28 14:58:31 -08:00
xt_CLASSIFY.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_CONNMARK.c [NETFILTER]: x_tables: enable compat translation for IPv6 matches/targets 2008-01-28 14:58:37 -08:00
xt_CONNSECMARK.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_DSCP.c [NETFILTER]: IPv6 capable xt_TOS v1 target 2008-01-28 14:56:00 -08:00
xt_MARK.c [NETFILTER]: xt_MARK: add compat support for revision 0 2008-01-28 14:58:38 -08:00
xt_NFLOG.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_NFQUEUE.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_NOTRACK.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_RATEEST.c [NETFILTER]: x_tables: add RATEEST target 2008-01-28 14:56:02 -08:00
xt_SECMARK.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_TCPMSS.c [NETFILTER]: xt_TCPMSS: don't allow netfilter --setmss to increase mss 2008-01-28 14:58:50 -08:00
xt_TCPOPTSTRIP.c [NETFILTER]: x_tables: add TCPOPTSTRIP target 2008-01-28 14:55:51 -08:00
xt_TRACE.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_comment.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_connbytes.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_connlimit.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_connmark.c [NETFILTER]: x_tables: enable compat translation for IPv6 matches/targets 2008-01-28 14:58:37 -08:00
xt_conntrack.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_dccp.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_dscp.c [NETFILTER]: IPv6 capable xt_tos v1 match 2008-01-28 14:56:00 -08:00
xt_esp.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_hashlimit.c [NETFILTER]: xt_hashlimit: remove ip6tables module dependency 2008-01-28 14:56:04 -08:00
xt_helper.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_length.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_limit.c [NETFILTER]: x_tables: enable compat translation for IPv6 matches/targets 2008-01-28 14:58:37 -08:00
xt_mac.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_mark.c [NETFILTER]: x_tables: enable compat translation for IPv6 matches/targets 2008-01-28 14:58:37 -08:00
xt_multiport.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_owner.c [NETFILTER]: merge ipt_owner/ip6t_owner in xt_owner 2008-01-28 14:55:55 -08:00
xt_physdev.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_pkttype.c [IPV4] net/netfilter: Use ipv4_is_<type> 2008-01-28 14:58:16 -08:00
xt_policy.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_quota.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_rateest.c [NETFILTER]: x_tables: add rateest match 2008-01-28 14:56:03 -08:00
xt_realm.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_sctp.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_state.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_statistic.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_string.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_tcpmss.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_tcpudp.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_time.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00
xt_u32.c [NETFILTER]: x_tables: consistent and unique symbol names 2008-01-28 14:55:53 -08:00