Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 1 | This target allows to alter the MSS value of TCP SYN packets, to control |
| 2 | the maximum size for that connection (usually limiting it to your |
Jan Engelhardt | e24815d | 2008-02-14 03:02:55 +0100 | [diff] [blame] | 3 | outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). |
| 4 | Of course, it can only be used |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 5 | in conjunction with |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 6 | \fB\-p tcp\fP. |
Patrick McHardy | dbbcf27 | 2005-12-05 01:22:50 +0000 | [diff] [blame] | 7 | It is only valid in the |
| 8 | .BR mangle |
| 9 | table. |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 10 | .br |
| 11 | This target is used to overcome criminally braindead ISPs or servers |
Jan Engelhardt | e24815d | 2008-02-14 03:02:55 +0100 | [diff] [blame] | 12 | which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" |
| 13 | packets. The symptoms of this |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 14 | problem are that everything works fine from your Linux |
| 15 | firewall/router, but machines behind it can never exchange large |
| 16 | packets: |
| 17 | .PD 0 |
| 18 | .RS 0.1i |
| 19 | .TP 0.3i |
| 20 | 1) |
| 21 | Web browsers connect, then hang with no data received. |
| 22 | .TP |
| 23 | 2) |
| 24 | Small mail works fine, but large emails hang. |
| 25 | .TP |
| 26 | 3) |
| 27 | ssh works fine, but scp hangs after initial handshaking. |
| 28 | .RE |
| 29 | .PD |
| 30 | Workaround: activate this option and add a rule to your firewall |
| 31 | configuration like: |
| 32 | .nf |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 33 | iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN \\ |
| 34 | \-j TCPMSS \-\-clamp\-mss\-to\-pmtu |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 35 | .fi |
| 36 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 37 | \fB\-\-set\-mss\fP \fIvalue\fP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 38 | Explicitly set MSS option to specified value. |
| 39 | .TP |
Jan Engelhardt | fea74bf | 2009-01-12 04:53:18 +0100 | [diff] [blame] | 40 | \fB\-\-clamp\-mss\-to\-pmtu\fP |
| 41 | Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). |
Jan Engelhardt | aeafdb8 | 2008-08-12 11:42:04 +0200 | [diff] [blame] | 42 | .PP |
Henrik Nordstrom | c279413 | 2004-01-22 15:04:24 +0000 | [diff] [blame] | 43 | These options are mutually exclusive. |