Make MSS clamping configurable, but enabled by default.
It can either be set globally in tinc.conf, or per-node in host config files.
This commit is contained in:
		
							parent
							
								
									95928f7c29
								
							
						
					
					
						commit
						b455111184
					
				
					 6 changed files with 35 additions and 1 deletions
				
			
		|  | @ -347,6 +347,11 @@ Furthermore, specifying | ||||||
| will turn off packet encryption. | will turn off packet encryption. | ||||||
| It is best to use only those ciphers which support CBC mode. | It is best to use only those ciphers which support CBC mode. | ||||||
| 
 | 
 | ||||||
|  | .It Va ClampMSS Li = yes | no Pq yes | ||||||
|  | This option specifies whether tinc should clamp the maximum segment size (MSS) | ||||||
|  | of TCP packets to the path MTU. This helps in situations where ICMP | ||||||
|  | Fragmentation Needed or Packet too Big messages are dropped by firewalls. | ||||||
|  | 
 | ||||||
| .It Va Compression Li = Ar level Pq 0 | .It Va Compression Li = Ar level Pq 0 | ||||||
| This option sets the level of compression used for UDP packets. | This option sets the level of compression used for UDP packets. | ||||||
| Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), | Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib), | ||||||
|  |  | ||||||
|  | @ -956,6 +956,12 @@ Any cipher supported by OpenSSL is recognized. | ||||||
| Furthermore, specifying "none" will turn off packet encryption. | Furthermore, specifying "none" will turn off packet encryption. | ||||||
| It is best to use only those ciphers which support CBC mode. | It is best to use only those ciphers which support CBC mode. | ||||||
| 
 | 
 | ||||||
|  | @cindex ClampMSS | ||||||
|  | @item ClampMSS = <yes|no> (yes) | ||||||
|  | This option specifies whether tinc should clamp the maximum segment size (MSS) | ||||||
|  | of TCP packets to the path MTU. This helps in situations where ICMP | ||||||
|  | Fragmentation Needed or Packet too Big messages are dropped by firewalls. | ||||||
|  | 
 | ||||||
| @cindex Compression | @cindex Compression | ||||||
| @item Compression = <@var{level}> (0) | @item Compression = <@var{level}> (0) | ||||||
| This option sets the level of compression used for UDP packets. | This option sets the level of compression used for UDP packets. | ||||||
|  |  | ||||||
|  | @ -29,6 +29,7 @@ | ||||||
| #define OPTION_INDIRECT		0x0001 | #define OPTION_INDIRECT		0x0001 | ||||||
| #define OPTION_TCPONLY		0x0002 | #define OPTION_TCPONLY		0x0002 | ||||||
| #define OPTION_PMTU_DISCOVERY	0x0004 | #define OPTION_PMTU_DISCOVERY	0x0004 | ||||||
|  | #define OPTION_CLAMP_MSS	0x0008 | ||||||
| 
 | 
 | ||||||
| typedef struct connection_status_t { | typedef struct connection_status_t { | ||||||
| 	int pinged:1;				/* sent ping */ | 	int pinged:1;				/* sent ping */ | ||||||
|  |  | ||||||
|  | @ -303,6 +303,12 @@ bool setup_myself(void) { | ||||||
| 	if(choice) | 	if(choice) | ||||||
| 		myself->options |= OPTION_PMTU_DISCOVERY; | 		myself->options |= OPTION_PMTU_DISCOVERY; | ||||||
| 
 | 
 | ||||||
|  | 	choice = true; | ||||||
|  | 	get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice); | ||||||
|  | 	get_config_bool(lookup_config(myself->connection->config_tree, "ClampMSS"), &choice); | ||||||
|  | 	if(choice) | ||||||
|  | 		myself->options |= OPTION_CLAMP_MSS; | ||||||
|  | 
 | ||||||
| 	get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance); | 	get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance); | ||||||
| 
 | 
 | ||||||
| #if !defined(SOL_IP) || !defined(IP_TOS) | #if !defined(SOL_IP) || !defined(IP_TOS) | ||||||
|  |  | ||||||
|  | @ -453,6 +453,11 @@ bool send_ack(connection_t *c) { | ||||||
| 	if(myself->options & OPTION_PMTU_DISCOVERY) | 	if(myself->options & OPTION_PMTU_DISCOVERY) | ||||||
| 		c->options |= OPTION_PMTU_DISCOVERY; | 		c->options |= OPTION_PMTU_DISCOVERY; | ||||||
| 
 | 
 | ||||||
|  | 	choice = myself->options & OPTION_CLAMP_MSS; | ||||||
|  | 	get_config_bool(lookup_config(c->config_tree, "ClampMSS"), &choice); | ||||||
|  | 	if(choice) | ||||||
|  | 		c->options |= OPTION_CLAMP_MSS; | ||||||
|  | 
 | ||||||
| 	get_config_int(lookup_config(c->config_tree, "Weight"), &c->estimated_weight); | 	get_config_int(lookup_config(c->config_tree, "Weight"), &c->estimated_weight); | ||||||
| 
 | 
 | ||||||
| 	return send_request(c, "%d %s %d %x", ACK, myport, c->estimated_weight, c->options); | 	return send_request(c, "%d %s %d %x", ACK, myport, c->estimated_weight, c->options); | ||||||
|  | @ -496,6 +501,7 @@ bool ack_h(connection_t *c) { | ||||||
| 	int weight, mtu; | 	int weight, mtu; | ||||||
| 	uint32_t options; | 	uint32_t options; | ||||||
| 	node_t *n; | 	node_t *n; | ||||||
|  | 	bool choice; | ||||||
| 
 | 
 | ||||||
| 	if(sscanf(c->buffer, "%*d " MAX_STRING " %d %x", hisport, &weight, &options) != 3) { | 	if(sscanf(c->buffer, "%*d " MAX_STRING " %d %x", hisport, &weight, &options) != 3) { | ||||||
| 		logger(LOG_ERR, "Got bad %s from %s (%s)", "ACK", c->name, | 		logger(LOG_ERR, "Got bad %s from %s (%s)", "ACK", c->name, | ||||||
|  | @ -536,6 +542,13 @@ bool ack_h(connection_t *c) { | ||||||
| 	if(get_config_int(lookup_config(myself->connection->config_tree, "PMTU"), &mtu) && mtu < n->mtu) | 	if(get_config_int(lookup_config(myself->connection->config_tree, "PMTU"), &mtu) && mtu < n->mtu) | ||||||
| 		n->mtu = mtu; | 		n->mtu = mtu; | ||||||
| 
 | 
 | ||||||
|  | 	if(get_config_bool(lookup_config(c->config_tree, "ClampMSS"), &choice)) { | ||||||
|  | 		if(choice) | ||||||
|  | 			c->options |= OPTION_CLAMP_MSS; | ||||||
|  | 		else | ||||||
|  | 			c->options &= ~OPTION_CLAMP_MSS; | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	/* Activate this connection */ | 	/* Activate this connection */ | ||||||
| 
 | 
 | ||||||
| 	c->allow_request = ALL; | 	c->allow_request = ALL; | ||||||
|  |  | ||||||
|  | @ -94,7 +94,7 @@ static bool checklength(node_t *source, vpn_packet_t *packet, length_t length) { | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
| static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) { | static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) { | ||||||
| 	if(!via || via == myself) | 	if(!via || via == myself || !(via->options & OPTION_CLAMP_MSS)) | ||||||
| 		return; | 		return; | ||||||
| 
 | 
 | ||||||
| 	/* Find TCP header */ | 	/* Find TCP header */ | ||||||
|  | @ -112,6 +112,9 @@ static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *pac | ||||||
| 	/* Use data offset field to calculate length of options field */ | 	/* Use data offset field to calculate length of options field */ | ||||||
| 	int len = ((packet->data[start + 12] >> 4) - 5) * 4; | 	int len = ((packet->data[start + 12] >> 4) - 5) * 4; | ||||||
| 
 | 
 | ||||||
|  | 	if(packet->len < start + 20 + len) | ||||||
|  | 		return; | ||||||
|  | 
 | ||||||
| 	/* Search for MSS option header */ | 	/* Search for MSS option header */ | ||||||
| 	for(int i = 0; i < len;) { | 	for(int i = 0; i < len;) { | ||||||
| 		if(packet->data[start + 20 + i] == 0) | 		if(packet->data[start + 20 + i] == 0) | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue