On May 16, 2004 05:28 am, Stephen Jones wrote: > Hello All, > > I am having difficulty locating and applying the tcp-MSS patch as described > here: > > http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-4. >html#ss4.7 > > I have run through both the patch-o-matic-20031219 and the > patch-o-matic-ng-20040302 against an iptables 1.2.9 and 2.4.25 kernel > sources. The option to apply the patch does not appear as I run through > the ./runme extra or ./rume userspace scripts for either patch-o-matics. > > I am in desperate need to implement: > > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS > --clamp-mss-to-pmtu Umm ... try iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu I've always included the -m tcp --- to load the apropriate iptables internal module. > > with a pptp client I have installed on a gateway device. > (http://pptpclient.sourceforge.net/ <-- main page, and see these for the > problem I am tryting to solve: > http://pptpclient.sourceforge.net/howto-diagnosis.phtml#connections_freeze > and finally http://lartc.org/howto/lartc.cookbook.mtu-mss.html) > > The kernel config has these options set: > > CONFIG_IP_NF_MATCH_TCPMSS=y > CONFIG_IP_NF_TARGET_TCPMSS=y > > Both the kernel and iptables appear to compile without complaints. I take it you have rebuilt the kernel to get this code in. You need to make sure that after a kernel change and rebuild you have rebuilt the iptables userspace code against this new kernel code or it will work in weird ways -- or not work at all. > > I get an "unknown arg `--clamp-mss-to-pmtu' gripe from the recompiled > iptables when I enter the full command as specified above. > can you find libipt_TCPMSS.so on your system anywhere? -- This is the bit that provides the userspace code. if you do a find / -name iptables how many do you have? One other issue folks have had issues with is that you can end up with several copies of iptables installed, which have different functionalities built in, and which end up not matching the running kernel for some things. > The only "hits" I could find using tcp-MSS on a google hunt were to a post > on the netfilter list from October of 1999, and a reference to the patch on > the samba cvs, but it was a dead link... > > A nudge in the right direction would be greatly appreciated! Thanks for > your time! good luck, Alistair Tonner > > SJ > > _________________________________________________________________ > MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE > download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
