[Firehol-support] PPPoE TCP MSS clamping / match

Costa Tsaousis costa at tsaousis.gr
Fri Oct 8 23:48:36 BST 2004


Added 'tcpmss' helper in v1.205 (currently in the CVS).

--- Documentation ---
tcpmss <what>
The tcpmss helper sets the MSS (Maximum Segment Size) of TCP SYN packets
routed through the firewall. Its purpose is to overcome situations where
Path MTU Discovery is not working and packet fragmentation is not
Within FireHOL, it can be defined either before any primary command, in
which case it is applied to all traffic passing through the firewall, or
to any router, in which case it is applied to traffic matched by the
router. In both cases, TCP SYN packets in both directions (in/out) are

The argument can either be the word 'auto' or a number:

- The word 'auto' will make the TCP connections have MSS equal to the MTU
of the outgoing intefrace minus 40 (clamp-mss-to-pmtu).
- A numeric argument will make the TCP connections have MSS equal to the
number given.

See also Circumventing Path MTU Discovery issues with MSS Clamping (for
ADSL, cable, PPPoE & PPtP users) in the Linux Advanced Routing & Traffic
Control HOWTO.

Example 1: tcpmss auto
Example 2: tcpmss 500




> Hi Daniel,
> TCPMSS is used only in filter/FORWARD?
> I am asking because I have the following options and I don't know which
> one to choose:
> 1. Make this a helper command, to be used at the top of the firewall
> configuration, like dnat, snat, transparent_squid, etc. with the syntax
> you suggest.
> 2. Make this an option for routers which will be used the same way the
> "policy" subcommand is used in interfaces. This way there will be no
> optional rule parameters, since the router parameters will be inherited.
> Example:
> router x inface a outface b src xx dst yy ...
> 	tcpmss pmtu
> 	server x accept
> 	...
> 3. Make this an optional rule parameter (like log, src, dst, etc) which
> could be used anywhere, even in client/server subcommands.
> Can you point some documentation about the possible uses of TCPMSS?
> Thanks
> Costa
> On Ôåô, 2003-12-10 at 15:00, Daniel Pittman wrote:
>> In order to use my ADSL connection, I need to clamp the MSS value on TCP
>> connections to something slightly lower than a standard Ethernet value.
>> Anyway, the "standard" way of achieving this for the in-kernel PPPoE
>> driver is to issue the following iptables command:
>>     iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
>>              -j TCPMSS --clamp-mss-to-pmtu
>> Now, I can obviously stick that in using the 'iptables' command, but
>> that is a bit less selective than I will want to be in the near future.
>> So, any chance of seeing an action to implement this?  I would suggest:
>>     tcpmss ( 'pmtu' | <number> ) <optional rule parameters>
>> If the argument is 'pmtu', pass the '--clamp-mss-to-pmtu' option,
>> otherwise pass '--set-mss <number>'.
>> Having it match on the 'router' statement, etc, would be ideal.
>> That way I don't need to fiddle with the interface matching and so on
>> when I have a PPPoE link and an 802.11 link heading out of the same box,
>> and I need to clamp the MSS on only one of them.
>>     Daniel
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support

More information about the Firehol-support mailing list