A little long winded...
My confusion is the documentation for the firewall mtu_fix
says "Enable MSS
clamping on outgoing zone traffic." This option is a defacto default for the
WAN zone. My initial interpretation is this will force the router to clamp the
TCP Maximum Segment Size on forwarded traffic to/from the LAN-side to a fixed
value. For ethernet this is almost always 1460 (1500 - 20 octet IP header - 20
octet TCP header). Routers do this to prevent IP fragmentation/reassembly as
each packet traverses the Internet.
The mtu_fix
firewall option appears to create the following netfilter rule:
iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
This netfilter rule invokes the kernel xt_TCPMSS.c:tcpmss_mangle_packet
function on only TCP SYN packets. The function "clamps" the TCP MSS option to
in the SYN packet. This MSS option advertises to the far-end to
send TCP segments of 1460 or less to prevent IP fragmentation.
The mtu_fix
option does not appear to mangle outgoing packets (and I'm not
clear how the router would do that anyway without fragmenting the TCP payload -
which defeats the point of clamping the MSS.) It appears to clamp the MSS
option in the SYN packet to the standard 1460 to tell the far-end (e.g. server)
to send packets with MSS<=1460.
I don't see how mtu_fix
mangles any other packets forwarded to the WAN-side.
The IP stack in the originating station will (or should, but all of my test
stations do it) set the outgoing MSS to 1460.