| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | This target allows to alter the MSS value of TCP SYN packets, to control |
| 2 | the maximum size for that connection (usually limiting it to your |
| 3 | outgoing interface's MTU minus 40). Of course, it can only be used |
| 4 | in conjunction with |
| 5 | .BR "-p tcp" . |
| Patrick McHardy | dbbcf27 | 2005-12-05 01:22:50 +0000 | [diff] [blame] | 6 | It is only valid in the |
| 7 | .BR mangle |
| 8 | table. |
| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 9 | .br |
| 10 | This target is used to overcome criminally braindead ISPs or servers |
| 11 | which block ICMP Fragmentation Needed packets. The symptoms of this |
| 12 | problem are that everything works fine from your Linux |
| 13 | firewall/router, but machines behind it can never exchange large |
| 14 | packets: |
| 15 | .PD 0 |
| 16 | .RS 0.1i |
| 17 | .TP 0.3i |
| 18 | 1) |
| 19 | Web browsers connect, then hang with no data received. |
| 20 | .TP |
| 21 | 2) |
| 22 | Small mail works fine, but large emails hang. |
| 23 | .TP |
| 24 | 3) |
| 25 | ssh works fine, but scp hangs after initial handshaking. |
| 26 | .RE |
| 27 | .PD |
| 28 | Workaround: activate this option and add a rule to your firewall |
| 29 | configuration like: |
| 30 | .nf |
| Patrick McHardy | dbbcf27 | 2005-12-05 01:22:50 +0000 | [diff] [blame] | 31 | iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN \\ |
| Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 32 | -j TCPMSS --clamp-mss-to-pmtu |
| 33 | .fi |
| 34 | .TP |
| 35 | .BI "--set-mss " "value" |
| 36 | Explicitly set MSS option to specified value. |
| 37 | .TP |
| 38 | .B "--clamp-mss-to-pmtu" |
| 39 | Automatically clamp MSS value to (path_MTU - 40). |
| 40 | .TP |
| 41 | These options are mutually exclusive. |