TCP uses ICMP for path MTU discovery and some other functions. path MTU
discovery being the most important. Failure to route ICMP packets the
same direction as the rest of the TCP session will cause TCP to hang,
and finally time out under certain conditions.
Most routers (including Linux) cannot track ICMP packets belonging to a
TCP session properly in plain route maps, causing these functions to
fail.
If you use Linux iptables NAT, then ICMP packets are automatically
tracked as part of the NAT TCP session, and will thus get routed
correctly.
For transparent proxies you can work around the lack of ICMP support in
route maps by disabling path MTU discovery for the proxy interface
pointing towards your clients.
-- Henrik Nordstrom Squid Hacker Andrea Glorioso wrote: > > >>>>> "hn" == Henrik Nordstrom <hno@hem.passagen.se> writes: > > hn> Hmm.. thinking a bit more on the routing issues.. it is > hn> probably safer to use NAT as you do and accept that some > hn> clients will fail. Doing a proper routing setup is non-trivial > hn> unless you patch iptables with connection mark capabilities to > hn> also catch related ICMP traffic. > > Could you elaborate on the problem posed by ICMP traffic? > > Bye, > > Andrea GloriosoReceived on Tue Jul 24 2001 - 16:10:10 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:18 MST