It can either be set globally in tinc.conf, or per-node in host config files.
will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
+.It Va ClampMSS Li = yes | no Pq yes
+This option specifies whether tinc should clamp the maximum segment size (MSS)
+of TCP packets to the path MTU. This helps in situations where ICMP
+Fragmentation Needed or Packet too Big messages are dropped by firewalls.
+
.It Va Compression Li = Ar level Pq 0
This option sets the level of compression used for UDP packets.
Possible values are 0 (off), 1 (fast zlib) and any integer up to 9 (best zlib),
Furthermore, specifying "none" will turn off packet encryption.
It is best to use only those ciphers which support CBC mode.
+@cindex ClampMSS
+@item ClampMSS = <yes|no> (yes)
+This option specifies whether tinc should clamp the maximum segment size (MSS)
+of TCP packets to the path MTU. This helps in situations where ICMP
+Fragmentation Needed or Packet too Big messages are dropped by firewalls.
+
@cindex Compression
@item Compression = <@var{level}> (0)
This option sets the level of compression used for UDP packets.
#define OPTION_INDIRECT 0x0001
#define OPTION_TCPONLY 0x0002
#define OPTION_PMTU_DISCOVERY 0x0004
+#define OPTION_CLAMP_MSS 0x0008
typedef struct connection_status_t {
int pinged:1; /* sent ping */
if(choice)
myself->options |= OPTION_PMTU_DISCOVERY;
+ choice = true;
+ get_config_bool(lookup_config(config_tree, "ClampMSS"), &choice);
+ get_config_bool(lookup_config(myself->connection->config_tree, "ClampMSS"), &choice);
+ if(choice)
+ myself->options |= OPTION_CLAMP_MSS;
+
get_config_bool(lookup_config(config_tree, "PriorityInheritance"), &priorityinheritance);
#if !defined(SOL_IP) || !defined(IP_TOS)
if(myself->options & OPTION_PMTU_DISCOVERY)
c->options |= OPTION_PMTU_DISCOVERY;
+ choice = myself->options & OPTION_CLAMP_MSS;
+ get_config_bool(lookup_config(c->config_tree, "ClampMSS"), &choice);
+ if(choice)
+ c->options |= OPTION_CLAMP_MSS;
+
get_config_int(lookup_config(c->config_tree, "Weight"), &c->estimated_weight);
return send_request(c, "%d %s %d %x", ACK, myport, c->estimated_weight, c->options);
int weight, mtu;
uint32_t options;
node_t *n;
+ bool choice;
if(sscanf(c->buffer, "%*d " MAX_STRING " %d %x", hisport, &weight, &options) != 3) {
logger(LOG_ERR, "Got bad %s from %s (%s)", "ACK", c->name,
if(get_config_int(lookup_config(myself->connection->config_tree, "PMTU"), &mtu) && mtu < n->mtu)
n->mtu = mtu;
+ if(get_config_bool(lookup_config(c->config_tree, "ClampMSS"), &choice)) {
+ if(choice)
+ c->options |= OPTION_CLAMP_MSS;
+ else
+ c->options &= ~OPTION_CLAMP_MSS;
+ }
+
/* Activate this connection */
c->allow_request = ALL;
}
static void clamp_mss(const node_t *source, const node_t *via, vpn_packet_t *packet) {
- if(!via || via == myself)
+ if(!via || via == myself || !(via->options & OPTION_CLAMP_MSS))
return;
/* Find TCP header */
/* Use data offset field to calculate length of options field */
int len = ((packet->data[start + 12] >> 4) - 5) * 4;
+ if(packet->len < start + 20 + len)
+ return;
+
/* Search for MSS option header */
for(int i = 0; i < len;) {
if(packet->data[start + 20 + i] == 0)
projects / tinc / commitdiff