aboutsummaryrefslogtreecommitdiff
path: root/net/netfilter/Kconfig
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-02-07 15:09:46 -0800
committerDavid S. Miller <davem@sunset.davemloft.net>2007-02-08 12:39:16 -0800
commitcdd289a2f833b93e65b9a09a02c37f47a58140a8 (patch)
treeed5172808cdd5b24605205732aca724a0fb9910d /net/netfilter/Kconfig
parenta8d0f9526ff8510d6fa5e708ef5386af19503299 (diff)
[NETFILTER]: add IPv6-capable TCPMSS target
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/Kconfig')
-rw-r--r--net/netfilter/Kconfig26
1 files changed, 26 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 614c92c1783..748f7f00909 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -395,6 +395,32 @@ config NETFILTER_XT_TARGET_CONNSECMARK
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_TARGET_TCPMSS
+ tristate '"TCPMSS" target support'
+ depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
+ ---help---
+ This option adds a `TCPMSS' target, which allows you to alter the
+ MSS value of TCP SYN packets, to control the maximum size for that
+ connection (usually limiting it to your outgoing interface's MTU
+ minus 40).
+
+ This is used to overcome criminally braindead ISPs or servers which
+ block ICMP Fragmentation Needed packets. The symptoms of this
+ problem are that everything works fine from your Linux
+ firewall/router, but machines behind it can never exchange large
+ packets:
+ 1) Web browsers connect, then hang with no data received.
+ 2) Small mail works fine, but large emails hang.
+ 3) ssh works fine, but scp hangs after initial handshaking.
+
+ Workaround: activate this option and add a rule to your firewall
+ configuration like:
+
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
+ -j TCPMSS --clamp-mss-to-pmtu
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_COMMENT
tristate '"comment" match support'
depends on NETFILTER_XTABLES