[Firehol-support] PPPoE TCP MSS clamping / match

Costa Tsaousis costa at tsaousis.gr
Mon Dec 29 23:04:35 GMT 2003


Hi Daniel,

TCPMSS is used only in filter/FORWARD?

I am asking because I have the following options and I don't know which
one to choose:

1. Make this a helper command, to be used at the top of the firewall
configuration, like dnat, snat, transparent_squid, etc. with the syntax
you suggest.

2. Make this an option for routers which will be used the same way the
"policy" subcommand is used in interfaces. This way there will be no
optional rule parameters, since the router parameters will be inherited.
Example:

router x inface a outface b src xx dst yy ...
	tcpmss pmtu
	
	server x accept
	...

3. Make this an optional rule parameter (like log, src, dst, etc) which
could be used anywhere, even in client/server subcommands.

Can you point some documentation about the possible uses of TCPMSS?

Thanks

Costa


On Τετ, 2003-12-10 at 15:00, Daniel Pittman wrote:
> In order to use my ADSL connection, I need to clamp the MSS value on TCP
> connections to something slightly lower than a standard Ethernet value.
> 
> Anyway, the "standard" way of achieving this for the in-kernel PPPoE
> driver is to issue the following iptables command:
> 
>     iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
>              -j TCPMSS --clamp-mss-to-pmtu
> 
> Now, I can obviously stick that in using the 'iptables' command, but
> that is a bit less selective than I will want to be in the near future.
> 
> So, any chance of seeing an action to implement this?  I would suggest:
> 
>     tcpmss ( 'pmtu' | <number> ) <optional rule parameters>
> 
> If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option,
> otherwise pass '--set-mss <number>'.
> 
> Having it match on the 'router' statement, etc, would be ideal.
> 
> 
> That way I don't need to fiddle with the interface matching and so on
> when I have a PPPoE link and an 802.11 link heading out of the same box,
> and I need to clamp the MSS on only one of them.
> 
>     Daniel





More information about the Firehol-support mailing list