Hi,
Ralf Nyren wrote:
> Greetings,
>
> I've noticed that when ip-traffic, to be masqueraded, is sent through my
> firewall the value of /proc/sys/net/ipv4/ip_always_defrag changes up and
> down. Both positive and negative values have been observed.
>
> This is rather annoying since when the value occasionally hits 0 the
> defrag option is disabled (at least for non-masqueraded traffic),
> my firewall starts dropping fragments since there is no rule for them.
> (In a normal case all packets are defragged before hitting the
> firewall code)
> Setting /proc/sys/net/ipv4/ip_always_defrag back to 1 temporary solves
> the problem until masq traffic changes it again.
>
>
> A quick look in net/ipv4/ip_masq.c and ip_fw.c tells that probably
> some of the sysctl_ip_always_defrag++ (or --) calls runs a bit
> uncontrolled. But that's just a guess.
Set 1 to /proc/sys/net/ipv4/ip_always_defrag before the first masq
connection (at net set up) and don't change it anymore or use:
echo 1000000000 > /proc/sys/net/ipv4/ip_always_defrag
You even don't need to help masquerade by changing this value.
The negative values are possible only when you set the value to 1.
Regards,
Julian Anastasov
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Jan 15 2000 - 21:00:17 EST