From c2d2d2a9830ac26f685e79d2a917934382cd2cc2 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 29 Jul 2012 16:52:40 +0000
Subject: [PATCH] firewall: Add rule to clamp PMTU.

---
 functions.firewall | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/functions.firewall b/functions.firewall
index 2a5cbedb..11d88ccd 100644
--- a/functions.firewall
+++ b/functions.firewall
@@ -47,6 +47,7 @@ function firewall_start() {
 	# Add default chains.
 	firewall_tcp_state_flags
 	firewall_connection_tracking
+	firewall_tcp_clamp_mss
 
 	# Add policies for every zone.
 	policy_add_localhost
@@ -151,6 +152,12 @@ function firewall_tcp_state_flags() {
 	iptables -A FORWARD -p tcp -j BADTCP
 }
 
+function firewall_tcp_clamp_mss() {
+	log DEBUG "Adding rules to clamp MSS to path MTU..."
+	iptables -t mangle -A FORWARD \
+		-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+}
+
 function firewall_connection_tracking() {
 	log INFO "Creating Connection Tracking chain..."
 	iptables_chain_create CONNTRACK
-- 
2.47.3