Re: MSS clamping in NPF

To: tech-net%netbsd.org@localhost, Christos Zoulas <christos%zoulas.com@localhost>
Subject: Re: MSS clamping in NPF
From: Egerváry Gergely <gergely%egervary.hu@localhost>
Date: Sun, 15 Jan 2017 14:02:50 +0100

procedure "norm" {
        normalize: "max-mss" 1432
}

group default {
  pass out final on pppoe0 family inet4 all apply "norm"
}


Correct me if I'm wrong, but I think a packet can only match on
a single rule, so this one will never match if the packet matches
on an other rule before.

The problem is I have circa 500 filter rules. I can't apply "norm"
on all rules that can ever pass a packet on pppoe0.

You shouldn't need MSS clamping for IPV6 ever -- any network admin
that breaks IPv6 ICMP enough to inhibit Path MTU discovery should be
fired immediately and likely has much bigger problems already anyway.


Agreed.

--
Gergely EGERVARY

Follow-Ups:
- Re: MSS clamping in NPF
  - From: Egerváry Gergely

References:
- MSS clamping in NPF
  - From: Egerváry Gergely
- Re: MSS clamping in NPF
  - From: Joerg Sonnenberger

Prev by Date: Re: MSS clamping in NPF
Next by Date: Re: MSS clamping in NPF
Previous by Thread: Re: MSS clamping in NPF
Next by Thread: Re: MSS clamping in NPF
Indexes:

Home | Main Index | Thread Index | Old Index