Re: MSS clamping in NPF

[Joerg Sonnenberger <joerg%bec.de@localhost>]

On Sun, Jan 15, 2017 at 10:12:16AM +0100, Egerváry Gergely wrote:
> The biggest problem is MSS clamping. I do need it, because Path MTU
> Discovery is broken on the ~20 percent of the Internet. Users cannot
> browse their favorite websites without MSS clamping.

procedure "norm" {
        normalize: "max-mss" 1432
}

group default {
  pass out final on pppoe0 family inet4 all apply "norm"
}

You shouldn't need MSS clamping for IPV6 ever -- any network admin that
breaks IPv6 ICMP enough to inhibit Path MTU discovery should be fired
immediately and likely has much bigger problems already anyway.

Joerg