3 files changed, 27 insertions, 0 deletions

diff --git a/CommandListener.cpp b/CommandListener.cpp
index f1bec153..0ca5d8f9 100644
--- a/CommandListener.cpp
+++ b/CommandListener.cpp
@@ -90,6 +90,7 @@ static const char* RAW_PREROUTING[] = {
 static const char* MANGLE_POSTROUTING[] = {
         BandwidthController::LOCAL_MANGLE_POSTROUTING,
         IdletimerController::LOCAL_MANGLE_POSTROUTING,
+        SecondaryTableController::LOCAL_MANGLE_POSTROUTING,
         NULL,
 };
 
diff --git a/SecondaryTableController.cpp b/SecondaryTableController.cpp
index d12f4c87..736b5fec 100644
--- a/SecondaryTableController.cpp
+++ b/SecondaryTableController.cpp
@@ -37,6 +37,7 @@
 #include "SecondaryTableController.h"
 
 const char* SecondaryTableController::LOCAL_MANGLE_OUTPUT = "st_mangle_OUTPUT";
+const char* SecondaryTableController::LOCAL_MANGLE_POSTROUTING = "st_mangle_POSTROUTING";
 const char* SecondaryTableController::LOCAL_MANGLE_EXEMPT = "st_mangle_EXEMPT";
 const char* SecondaryTableController::LOCAL_MANGLE_IFACE_FORMAT = "st_mangle_%s_OUTPUT";
 const char* SecondaryTableController::LOCAL_NAT_POSTROUTING = "st_nat_POSTROUTING";
@@ -422,6 +423,18 @@ int SecondaryTableController::setFwmarkRule(const char *iface, bool add) {
                 "0",
                 NULL);
 
+        /* Best effort, because some kernels might not have the needed TCPMSS */
+        execIptables(V4V6,
+                "-t",
+                "mangle",
+                "-A",
+                LOCAL_MANGLE_POSTROUTING,
+                "-p", "tcp", "-o", iface, "--tcp-flags", "SYN,RST", "SYN",
+                "-j",
+                "TCPMSS",
+                "--clamp-mss-to-pmtu",
+                NULL);
+
     } else {
         ret = execIptables(V4V6,
                 "-t",
@@ -450,6 +463,18 @@ int SecondaryTableController::setFwmarkRule(const char *iface, bool add) {
                 "-X",
                 chain_str,
                 NULL);
+
+        /* Best effort, because some kernels might not have the needed TCPMSS */
+        execIptables(V4V6,
+                "-t",
+                "mangle",
+                "-D",
+                LOCAL_MANGLE_POSTROUTING,
+                "-p", "tcp", "-o", iface, "--tcp-flags", "SYN,RST", "SYN",
+                "-j",
+                "TCPMSS",
+                "--clamp-mss-to-pmtu",
+                NULL);
     }
 
     //set up the needed source IP rewriting
diff --git a/SecondaryTableController.h b/SecondaryTableController.h
index 81bb8634..a1536857 100644
--- a/SecondaryTableController.h
+++ b/SecondaryTableController.h
@@ -59,6 +59,7 @@ public:
     int setupIptablesHooks();
 
     static const char* LOCAL_MANGLE_OUTPUT;
+    static const char* LOCAL_MANGLE_POSTROUTING;
     static const char* LOCAL_MANGLE_EXEMPT;
     static const char* LOCAL_MANGLE_IFACE_FORMAT;
     static const char* LOCAL_NAT_POSTROUTING;