diff options
| author | Kibum Kim <kb0929.kim@samsung.com> | 2012-01-07 00:47:33 +0900 |
|---|---|---|
| committer | Kibum Kim <kb0929.kim@samsung.com> | 2012-01-07 00:47:33 +0900 |
| commit | 8df0096515fc2575560e13982f9edf76bf39555e (patch) | |
| tree | 0d683bc1583f241ae5675f5fbdccb7260212b35b /extensions/libxt_TCPMSS.man | |
| parent | dbc5ef4889caa206f4d47d83345357780ceef73e (diff) | |
| download | iptables-8df0096515fc2575560e13982f9edf76bf39555e.tar.gz iptables-8df0096515fc2575560e13982f9edf76bf39555e.tar.bz2 iptables-8df0096515fc2575560e13982f9edf76bf39555e.zip | |
Git init
Diffstat (limited to 'extensions/libxt_TCPMSS.man')
| -rw-r--r-- | extensions/libxt_TCPMSS.man | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/extensions/libxt_TCPMSS.man b/extensions/libxt_TCPMSS.man new file mode 100644 index 0000000..ac8fb4e --- /dev/null +++ b/extensions/libxt_TCPMSS.man @@ -0,0 +1,47 @@ +This target allows to alter the MSS value of TCP SYN packets, to control +the maximum size for that connection (usually limiting it to your +outgoing interface's MTU minus 40 for IPv4 or 60 for IPv6, respectively). +Of course, it can only be used +in conjunction with +\fB\-p tcp\fP. +.PP +This target is used to overcome criminally braindead ISPs or servers +which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too Big" +packets. The symptoms of this +problem are that everything works fine from your Linux +firewall/router, but machines behind it can never exchange large +packets: +.PD 0 +.RS 0.1i +.TP 0.3i +1) +Web browsers connect, then hang with no data received. +.TP +2) +Small mail works fine, but large emails hang. +.TP +3) +ssh works fine, but scp hangs after initial handshaking. +.RE +.PD +Workaround: activate this option and add a rule to your firewall +configuration like: +.IP + iptables \-t mangle \-A FORWARD \-p tcp \-\-tcp\-flags SYN,RST SYN + \-j TCPMSS \-\-clamp\-mss\-to\-pmtu +.TP +\fB\-\-set\-mss\fP \fIvalue\fP +Explicitly sets MSS option to specified value. If the MSS of the packet is +already lower than \fIvalue\fP, it will \fBnot\fP be increased (from Linux +2.6.25 onwards) to avoid more problems with hosts relying on a proper MSS. +.TP +\fB\-\-clamp\-mss\-to\-pmtu\fP +Automatically clamp MSS value to (path_MTU \- 40 for IPv4; \-60 for IPv6). +This may not function as desired where asymmetric routes with differing +path MTU exist \(em the kernel uses the path MTU which it would use to send +packets from itself to the source and destination IP addresses. Prior to +Linux 2.6.25, only the path MTU to the destination IP address was +considered by this option; subsequent kernels also consider the path MTU +to the source IP address. +.PP +These options are mutually exclusive. |