Mangle TCP options

From nftables wiki
Jump to: navigation, search

Since Linux kernel 4.14 and nftables 0.9, you can clamp your TCP MSS to Path MTU. This is very convenient in case your router encapsulates traffic over PPPoE, which is what many DSL (and some FTTH) providers do:

nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set rt mtu

where rt mtu calculates the MTU in runtime based on what the routing cache has observed via Path MTU Discovery (PMTUD).

Note for iptables users: 'tcp option maxseg size set rt mtu' is equivalent to '-j TCPMSS --clamp-mss-to-pmtu'.

You can also manually set to fixed value, eg. PPPoE takes 8 bytes to encapsulate packets, therefore, assuming MTU of 1500 bytes, 1500 - 20 (IPv4 Header) - 20 (TCP header) - 8 (PPPoE header) = 1452 bytes:

nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set 1452

Other supported TCP options are: window, sack-permitted, sack, timestamp and eol.