tcpmss match for IPv6 ?

Pascal Hambourg pascal.mail at
Thu Jul 12 23:44:38 CEST 2007


I hope this is the right list for my question.
Support of the TCPMSS target for IPv6 was recently added in the kernel 
and ip6tables. It can help fixing some MTU blackhole issues, so thanks. 
However there is currently no support of the tcpmss match for IPv6 yet, 
although xt_tcpmss.c in the kernel seems to be IPv6 compatible.

Has anyone already submitted a patch to add support for an IPv6 tcpmss 
match in ip6tables ? It seems trivial to derive from the existing IPv4 
tcpmss match for iptables. I believe I could even do it although I am 
not a software developper and don't know how to submit a patch.

I ask because I would have a use for an IPv6 tcpmss match in conjunction 
with the IPv6 TCPMSS target. "-j TCPMSS --clamp-mss-to-pmtu" may not be 
optimal, still allowing underlying fragmentation at a lower layer 
because of encapsulation (e.g. my ISP uses IPv6 over PPP over L2TP over 
UDP over IP over ethernet, where the optimal non-fragmenting IPv6 MTU is 
1460 due to the PPP+L2TP+UDP+IP overhead). Lowering the MTU is not an 
option, as I want to keep the ability to send and receive as big packets 
as the link allows. "-j TCPMSS --set-mss 1400" could be used to prevent 
TCP connections from causing fragmentation of the L2TP packets, but I 
must check that the original MSS is above 1400 before changing it. Else 
it would increase the MSS, which is not desirable. So I would need the 
tcpmss match in order to check the original MSS. Another solution would 
be a new "--clamp-mss <value>" option in the TCPMSS target which would 
clamp (i.e. decreases if higher) the MSS down to an arbitrary value 
instead of a value based on the PMTU. But I feel it would be more 

Thanks for your attention.

More information about the netfilter-devel mailing list