Set-mss in iptables not modifying mss in TCP packet
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Set-mss in iptables not modifying mss in TCP packet
Hi,
I cant get iptables to adjust mss in Openwrt.
I need to set all packets exiting to set mss to 1360. I had to turn off pmtu discovery so the auto clamping is not an option. The exit interface is from the gretap tunnel is eth0.3. The packets come into GRETAP interface that is a striongswan radius assigned VIP. So gretap > br0 > eth0.3. So when they exit eth0.3 the GRETAP encapsulation should be gone. I added rules to both mangle FORWARD and POSTROUTING and nothing.
Ok, I'm thinking your rules are not matching the packets thus nothing nothing is being altered. Have you tried to remove the Flag settings from your rules since you state "I need to set all packets exiting to set mss to 1360". If you need all packets then the Flag setting should not matter.
Here's what I figured out since last night. If I remove the -o flag, set a policy rule, I get further. While my rule gets hits, sadly it does not mangle the mss:
root@Need-Config:/etc# iptables -t mangle -S -v
-P PREROUTING ACCEPT -c 2347 1589909
-P INPUT ACCEPT -c 2306 1586734
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 2003 559362
-P POSTROUTING ACCEPT -c 0 0
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1340
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -c 24 1440 -j TCPMSS --set-mss 1340 <--Rule is hit, but does not mangle the tcp mss value on exit
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1340
-A POSTROUTING -o eth0.2 -c 22435 5712270 -j ACCEPT
-A POSTROUTING -o gre-gretap_NAT1 -c 0 0 -j ACCEPT
-A POSTROUTING -o br-lan -c 3715 559360 -j ACCEPT
-A POSTROUTING -o tap0 -c 0 0 -j ACCEPT
-A POSTROUTING -o eth0.1 -c 0 0 -j ACCEPT
-A POSTROUTING -o lo -c 486 80333 -j ACCEPT
-A POSTROUTING -o eth0.3 -c 0 0 -j ACCEPT
-A POSTROUTING -o br-br0 -c 0 0 -j ACCEPT
-A POSTROUTING -o eth0 -c 2427 116496 -j ACCEPT
root@Need-Config:/etc#
Below is a connection to craigslist from the local client of 10.105.0.200. As you can see, the mss is not 1340, though this rule, "-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -c 24 1440 -j TCPMSS --set-mss 1340" is being hit.
I did some testing on a couple of Mikrotiks which use iptables/nf. I setup one operating in layer 3 and one operating in L2, bridging ports as my setup is on the current devices. The set-mss did not work in bridge mode. iptables just ignored the packets. I wonder if a packet needs to be L3 routed instead of L2 forwarded for IP tables to adjust the mss? Perhaps?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.