Mangle TCP options: Difference between revisions

From nftables wiki
Jump to navigation Jump to search
(initial)
 
(Replaced text with link to Mangling packet headers, where this page has been copied to section "Mangling TCP options".)
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
Since Linux kernel 4.13 and nftables 0.9, you can clamp your TCP MSS to Path MTU. This is very convenient in case your router encapsulates traffic over PPPoE, which is what many DSL (and some FTTH) providers do:
See: [[Mangling packet headers]]
 
<source lang="bash">
nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set rt mtu
</source>
 
where '''rt mtu''' calculates the MTU in runtime based on what the routing cache has observed via Path MTU Discovery (PMTUD).
 
Note for iptables users: 'tcp option maxseg size set rt mtu' is equivalent to '-j TCPMSS --clamp-mss-to-pmtu'.
 
You can also manually set to fixed value, eg. PPPoE takes 8 bytes to encapsulate packets, therefore, assuming MTU of 1500 bytes, 1500 - 20 (IPv4 Header) - 20 (TCP header) - 8 (PPPoE header) = 1452 bytes:
 
<source lang="bash">
nft add rule ip filter forward oifname ppp0 tcp flags syn tcp option maxseg size set 1452
</source>
 
Other supported TCP options are: window, sack-permitted, sack, timestamp and eol.

Latest revision as of 22:26, 16 April 2021

See: Mangling packet headers

Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Mangle_TCP_options&oldid=935"