tcpmss match for IPv6 ?
pascal.mail at plouf.fr.eu.org
Thu Jul 12 23:44:38 CEST 2007
I hope this is the right list for my question.
Support of the TCPMSS target for IPv6 was recently added in the kernel
and ip6tables. It can help fixing some MTU blackhole issues, so thanks.
However there is currently no support of the tcpmss match for IPv6 yet,
although xt_tcpmss.c in the kernel seems to be IPv6 compatible.
Has anyone already submitted a patch to add support for an IPv6 tcpmss
match in ip6tables ? It seems trivial to derive from the existing IPv4
tcpmss match for iptables. I believe I could even do it although I am
not a software developper and don't know how to submit a patch.
I ask because I would have a use for an IPv6 tcpmss match in conjunction
with the IPv6 TCPMSS target. "-j TCPMSS --clamp-mss-to-pmtu" may not be
optimal, still allowing underlying fragmentation at a lower layer
because of encapsulation (e.g. my ISP uses IPv6 over PPP over L2TP over
UDP over IP over ethernet, where the optimal non-fragmenting IPv6 MTU is
1460 due to the PPP+L2TP+UDP+IP overhead). Lowering the MTU is not an
option, as I want to keep the ability to send and receive as big packets
as the link allows. "-j TCPMSS --set-mss 1400" could be used to prevent
TCP connections from causing fragmentation of the L2TP packets, but I
must check that the original MSS is above 1400 before changing it. Else
it would increase the MSS, which is not desirable. So I would need the
tcpmss match in order to check the original MSS. Another solution would
be a new "--clamp-mss <value>" option in the TCPMSS target which would
clamp (i.e. decreases if higher) the MSS down to an arbitrary value
instead of a value based on the PMTU. But I feel it would be more
Thanks for your attention.
More information about the netfilter-devel