Hello TCPMSS is now (since 28669 & 28671, 4 month) in the mangle table
I know I can fix it but it's the default behaviour of openwrt to break ICMP (by default it only accept ipv4 icmp echo-request on wan) Here a good schema of netfilter to understand (http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg) I've found an ugly case (with the multiwan package), when linux doesn't set the mss right. In this case MSS clamping in POSTROUTING solve the problem. Saying you have 2 or more default route (0.0.0.0 mask), it will set the mss to the first default route, the multiwan magic will happen (reroute check part of the schema), and if your packet go out through another wan, the MSS is the one of the first default route. A plausible example: First default route: optical fiber (MTU 1500) Second default route: pppoe (MTU 1492) (failover link) If the optical fiber goes down, the traffic from the router will pass through the PPPoE link, but with a MSS set to 1500-40 instead of 1492-40 There is no problem to clamp from POSTROUTING (iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o br-wan -j TCPMSS --clamp-mss-to-pmtu works well, as stated in the man it only decrease the mss, never increase) To conclude even if it's only for few user, i see only benefits of doing mss clamp in POSTROUTING Le 18/02/2012 22:59, Oliver a écrit : > On Saturday 18 Feb 2012 19:32:04 Etienne Champetier wrote: >> Hello >> >> Is there a reason why the MSS clamping is done in FORWARD instead of >> POSTROUTING ? (it's the exemple in the manpage...) >> > you shouldn't /need/ to clamp the MSS of packets to and from the router > unless you're breaking ICMP, in which case, stop breaking ICMP. - also, if > I remember rightly, clamping to pmtu isn't possible from the POSTROUTING > chain. > > The only real discrepancy is that TCPMSS should be used in the mangle > table, not filter - but fortunately it doesn't usually break anything if > you fail to adhere to this. > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
