Commit cdd289a2 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: add IPv6-capable TCPMSS target 



Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a8d0f952

include/linux/netfilter/Kbuild

+1 −0
Original line number Diff line number Diff line
@@ -33,6 +33,7 @@ header-y += xt_tcpmss.h 
header-y += xt_tcpudp.h

header-y += xt_SECMARK.h

header-y += xt_CONNSECMARK.h

header-y += xt_TCPMSS.h



unifdef-y += nf_conntrack_common.h

unifdef-y += nf_conntrack_ftp.h

include/linux/netfilter/xt_TCPMSS.h

0 → 100644
+10 −0
Original line number Diff line number Diff line 
#ifndef _XT_TCPMSS_H

#define _XT_TCPMSS_H



struct xt_tcpmss_info {

	u_int16_t mss;

};



#define XT_TCPMSS_CLAMP_PMTU 0xffff



#endif /* _XT_TCPMSS_H */

include/linux/netfilter_ipv4/ipt_TCPMSS.h

+3 −4
Original line number Diff line number Diff line 
#ifndef _IPT_TCPMSS_H

#define _IPT_TCPMSS_H



struct ipt_tcpmss_info {

	u_int16_t mss;

};

#include <linux/netfilter/xt_TCPMSS.h>



#define IPT_TCPMSS_CLAMP_PMTU 0xffff

#define ipt_tcpmss_info		xt_tcpmss_info

#define IPT_TCPMSS_CLAMP_PMTU	XT_TCPMSS_CLAMP_PMTU



#endif /*_IPT_TCPMSS_H*/

net/ipv4/netfilter/Kconfig

+0 −26
Original line number Diff line number Diff line
@@ -361,32 +361,6 @@ config IP_NF_TARGET_ULOG 


	  To compile it as a module, choose M here.  If unsure, say N.



config IP_NF_TARGET_TCPMSS

	tristate "TCPMSS target support"

	depends on IP_NF_IPTABLES

	---help---

	  This option adds a `TCPMSS' target, which allows you to alter the

	  MSS value of TCP SYN packets, to control the maximum size for that

	  connection (usually limiting it to your outgoing interface's MTU

	  minus 40).



	  This is used to overcome criminally braindead ISPs or servers which

	  block ICMP Fragmentation Needed packets.  The symptoms of this

	  problem are that everything works fine from your Linux

	  firewall/router, but machines behind it can never exchange large

	  packets:

	  	1) Web browsers connect, then hang with no data received.

	  	2) Small mail works fine, but large emails hang.

	  	3) ssh works fine, but scp hangs after initial handshaking.



	  Workaround: activate this option and add a rule to your firewall

	  configuration like:



	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \

	  		 -j TCPMSS --clamp-mss-to-pmtu



	  To compile it as a module, choose M here.  If unsure, say N.



# NAT + specific targets: ip_conntrack

config IP_NF_NAT

	tristate "Full NAT"

net/ipv4/netfilter/Makefile

+0 −1
Original line number Diff line number Diff line
@@ -103,7 +103,6 @@ obj-$(CONFIG_IP_NF_TARGET_SAME) += ipt_SAME.o 
obj-$(CONFIG_IP_NF_NAT_SNMP_BASIC) += ip_nat_snmp_basic.o

obj-$(CONFIG_IP_NF_TARGET_LOG) += ipt_LOG.o

obj-$(CONFIG_IP_NF_TARGET_ULOG) += ipt_ULOG.o

obj-$(CONFIG_IP_NF_TARGET_TCPMSS) += ipt_TCPMSS.o

obj-$(CONFIG_IP_NF_TARGET_CLUSTERIP) += ipt_CLUSTERIP.o

obj-$(CONFIG_IP_NF_TARGET_TTL) += ipt_TTL.o