Am Don, 2003-10-09 um 18.50 schrieb Abraham van der Merwe: > Hi Ralf >@2003.10.09_18:23:06_+0200 > > > > Are there any iptables extensions out there that allow you to clear the DF > > > (Dont Fragment) bit in ip headers? > > If you clear the DF-Bit and use Linux on either side of the tunnel where > > the packets are fragmented you are in deep trouble, because Linux 2.4 > > (when using PMTU) not only sets the DF-Bit but also clears the IP-ID > > which is needed to defragment the packets again. So, when clearing the > > DF-Bit you have to ensure unique numbers in the IP-ID field, too. > > Surely if I clear the DF-bit in the mangle table then the ipstack should > only defragment the packet later on when it made a routing decision and > decided over which interface to send the packet(s) and set the IP-ID fields > and MF-bit accordingly? Usually the IP-ID field is set by the sender and not by the router fragmenting the packet. You have to set the IP-ID field and clear the DF-Bit at the same time. > > Are there any other side-effects when clearing the DF-bit? Only maybe the overhead when a fragment is lost. Cheers, Ralf -- Ralf Spenneberg RHCE, RHCX Book: Intrusion Detection für Linux Server http://www.spenneberg.com IPsec-Howto http://www.ipsec-howto.org Honeynet Project Mirror: http://honeynet.spenneberg.org
