|
Packit |
7b22a4 |
This target allows to alter the MSS value of TCP SYN packets, to control
|
|
Packit |
7b22a4 |
the maximum size for that connection (usually limiting it to your
|
|
Packit |
7b22a4 |
outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively).
|
|
Packit |
7b22a4 |
Of course, it can only be used
|
|
Packit |
7b22a4 |
in conjunction with
|
|
Packit |
7b22a4 |
\fB\-p tcp\fP.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
This target is used to overcome criminally braindead ISPs or servers
|
|
Packit |
7b22a4 |
which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big"
|
|
Packit |
7b22a4 |
packets. The symptoms of this
|
|
Packit |
7b22a4 |
problem are that everything works fine from your Linux
|
|
Packit |
7b22a4 |
firewall/router, but machines behind it can never exchange large
|
|
Packit |
7b22a4 |
packets:
|
|
Packit |
7b22a4 |
.IP 1. 4
|
|
Packit |
7b22a4 |
Web browsers connect, then hang with no data received.
|
|
Packit |
7b22a4 |
.IP 2. 4
|
|
Packit |
7b22a4 |
Small mail works fine, but large emails hang.
|
|
Packit |
7b22a4 |
.IP 3. 4
|
|
Packit |
7b22a4 |
ssh works fine, but scp hangs after initial handshaking.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
Workaround: activate this option and add a rule to your firewall
|
|
Packit |
7b22a4 |
configuration like:
|
|
Packit |
7b22a4 |
.IP
|
|
Packit |
7b22a4 |
iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN
|
|
Packit |
7b22a4 |
\-j TCPMSS \-\-clamp\-mss\-to\-pmtu
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-set\-mss\fP \fIvalue\fP
|
|
Packit |
7b22a4 |
Explicitly sets MSS option to specified value. If the MSS of the packet is
|
|
Packit |
7b22a4 |
already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux
|
|
Packit |
7b22a4 |
2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-\-clamp\-mss\-to\-pmtu\fP
|
|
Packit |
7b22a4 |
Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6).
|
|
Packit |
7b22a4 |
This may not function as desired where asymmetric routes with differing
|
|
Packit |
7b22a4 |
path MTU exist \(em the kernel uses the path MTU which it would use to send
|
|
Packit |
7b22a4 |
packets from itself to the source and destination IP addresses. Prior to
|
|
Packit |
7b22a4 |
Linux 2.6.25, only the path MTU to the destination IP address was
|
|
Packit |
7b22a4 |
considered by this option; subsequent kernels also consider the path MTU
|
|
Packit |
7b22a4 |
to the source IP address.
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
These options are mutually exclusive.
|