CIPE between two Linux systems on the Internet has been established. Now I want to route all tcp traffic between the two linux systems over the CIPE tunnel, so I've set up fwmark and iproute2 policies. However, the TCPMSS rule only applies to SYN packets. I'm able to set the TCPMSS to 1400 for client TCP connections, but on the server, the kernel message "sending pkt_too_big to self" repeatedly gets logged, and tcp connections constantly get hung. CIPE address Internet IP 192.168.250.33 209.249.19.46 linux-dsl 192.168.250.34 65.0.152.158 athome Commands run on "athome" (relevant sections reversed on "linux-dsl") echo 201 >> /etc/iproute2/rt_tables cipe0.vpn iptables -t mangle -A OUTPUT -p tcp --syn -j TCPMSS --set-mss 1460 iptables -t mangle -A OUTPUT -p tcp -d 209.249.19.46 -j MARK --set-mark 1 ip rule add fwmark 1 table cipe0.vpn ip route add default via 192.168.250.34 dev cipcb0 table cipe0.vpn Here's a snippet from "tcpdump -ni cipcb0 tcp port 25" Kernel filter, protocol ALL, TURBO mode (575 frames), datagram packet socket tcpdump: listening on cipcb0 12:15:58.996627 > 65.0.152.158.10046 > 209.249.19.46.smtp: S 2412475983:2412475983(0) win 5840 <mss 1400,sackOK,timestamp 817624 0,nop,wscale 0> (DF) 12:16:01.991788 > 65.0.152.158.10046 > 209.249.19.46.smtp: S 2412475983:2412475983(0) win 5840 <mss 1400,sackOK,timestamp 817924 0,nop,wscale 0> (DF) 12:16:02.011327 < 209.249.19.46.smtp > 65.0.152.158.10046: S 2416837938:2416837938(0) ack 2412475984 win 5792 <mss 1460,sackOK,timestamp 40493706 817624,nop,wscale 0> (DF) 12:16:02.011445 > 65.0.152.158.10046 > 209.249.19.46.smtp: . 1:1(0) ack 1 win 5840 <nop,nop,timestamp 817925 40493706> (DF) 12:16:02.039513 < 209.249.19.46.smtp > 65.0.152.158.10046: P 1:62(61) ack 1 win 5792 <nop,nop,timestamp 40493709 817925> (DF) 12:16:02.039591 > 65.0.152.158.10046 > 209.249.19.46.smtp: . 1:1(0) ack 62 win 5840 <nop,nop,timestamp 817928 40493709> (DF) 12:16:02.059384 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 1:38(37) ack 62 win 5840 <nop,nop,timestamp 817930 40493709> (DF) 12:16:02.093587 < 209.249.19.46.smtp > 65.0.152.158.10046: . 62:62(0) ack 38 win 5792 <nop,nop,timestamp 40493714 817930> (DF) 12:16:02.096197 < 209.249.19.46.smtp > 65.0.152.158.10046: P 62:238(176) ack 38 win 5792 <nop,nop,timestamp 40493714 817930> (DF) 12:16:02.096603 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 38:44(6) ack 238 win 6500 <nop,nop,timestamp 817934 40493714> (DF) 12:16:02.136428 < 209.249.19.46.smtp > 65.0.152.158.10046: P 238:261(23) ack 44 win 5792 <nop,nop,timestamp 40493717 817934> (DF) 12:16:02.136625 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 44:79(35) ack 261 win 6500 <nop,nop,timestamp 817938 40493717> (DF) 12:16:02.165945 < 209.249.19.46.smtp > 65.0.152.158.10046: P 261:309(48) ack 79 win 5792 <nop,nop,timestamp 40493722 817938> (DF) 12:16:02.166140 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 79:114(35) ack 309 win 6500 <nop,nop,timestamp 817941 40493722> (DF) 12:16:02.191079 < 209.249.19.46.smtp > 65.0.152.158.10046: P 309:362(53) ack 114 win 5792 <nop,nop,timestamp 40493724 817941> (DF) 12:16:02.191251 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 114:120(6) ack 362 win 6500 <nop,nop,timestamp 817943 40493724> (DF) 12:16:02.210254 < 209.249.19.46.smtp > 65.0.152.158.10046: P 362:412(50) ack 120 win 5792 <nop,nop,timestamp 40493726 817943> (DF) 12:16:02.210537 > 65.0.152.158.10046 > 209.249.19.46.smtp: P 120:165(45) ack 412 win 6500 <nop,nop,timestamp 817945 40493726> (DF) 12:16:02.275256 < 209.249.19.46.smtp > 65.0.152.158.10046: . 412:412(0) ack 165 win 5792 <nop,nop,timestamp 40493733 817945> (DF) Notice how 209.249.19.46 responds with a 1460 TCPMSS. This is too large when being tunneled through cipcb0. It appears to me that fwmark+iproute2 policy routing does not honor the gateway device's MTU. (CIPE tunnel devices have an MTU of 1442). Can anyone volunteer some suggestions?
