From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: Re: Re: Flowtable with ppp/bridge Date: Mon, 3 May 2021 23:32:13 +0200 Message-ID: <20210503213213.GA17087@salvia> References: <8AA68E42-DE50-4591-BCF0-18A058FA93F8@public-files.de> <20210426175703.GA3590@salvia> <20210427234929.GA19570@salvia> <4119615D-30F5-4A05-A206-5B7E97754F57@public-files.de> <20210502221122.GA19395@salvia> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Frank Wunderlich Cc: netfilter@vger.kernel.org On Mon, May 03, 2021 at 08:56:48PM +0200, Frank Wunderlich wrote: > Hi Pablo > > > Gesendet: Montag, 03. Mai 2021 um 00:11 Uhr > > Von: "Pablo Neira Ayuso" > > > You have to add a rule to clamp TCP mss to path MTU. > > > > ... tcp flags syn tcp option maxseg size set rt mtu > > Thanks i try this like described here (just for reference): > > https://wiki.nftables.org/wiki-nftables/index.php/Mangling_packet_headers I have updated the wiki: you have to mangle the TCP MSS options of the original syn and the reply syn+ack packets. > my MTU broadcast via dnsmasq does not work for all client-devices > > but imho this should affect 5.12 and 5.10 without flowtable too > (because limit is the ppp-tunnel in default Gateway), right?? so it > looks like flowtable in 5.10 breaks the Path Discovery or prevents > fragmentation which should normally happen if packets are too big. Did you try with the rule that mangles both the original syn and the reply syn+ack packets? Do not restrict mangling to oifname pppoe0.