summaryrefslogtreecommitdiff
path: root/docs/configuration/policy
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2022-11-08 21:04:56 +0100
committerGitHub <noreply@github.com>2022-11-08 21:04:56 +0100
commite2b77279aeb1c9f83a23d61e8064f4c29a5d783a (patch)
treedb5f77e18df70dc18c696e4bcf5319a2041bd792 /docs/configuration/policy
parent2b6b35b1fc659cd82b801d21dc7c17dd2986f146 (diff)
parent57a03630ae6bb3ccb17f2131a316f5cf4f0e6f3a (diff)
downloadvyos-documentation-e2b77279aeb1c9f83a23d61e8064f4c29a5d783a.tar.gz
vyos-documentation-e2b77279aeb1c9f83a23d61e8064f4c29a5d783a.zip
Merge pull request #868 from SquirePug/patch-2
Add MSS clamp example
Diffstat (limited to 'docs/configuration/policy')
-rw-r--r--docs/configuration/policy/examples.rst29
1 files changed, 29 insertions, 0 deletions
diff --git a/docs/configuration/policy/examples.rst b/docs/configuration/policy/examples.rst
index 2d44f4bc..f52a7950 100644
--- a/docs/configuration/policy/examples.rst
+++ b/docs/configuration/policy/examples.rst
@@ -182,3 +182,32 @@ Add multiple source IP in one rule with same priority
set policy local-route rule 101 source '203.0.113.253'
set policy local-route rule 101 source '198.51.100.0/24'
+###########################
+Clamp MSS for a specific IP
+###########################
+
+This example shows how to target an MSS clamp (in our example to 1360 bytes)
+to a specific destination IP.
+
+.. code-block:: none
+
+ set policy route IP-MSS-CLAMP rule 10 description 'Clamp TCP session MSS to 1360 for 198.51.100.30'
+ set policy route IP-MSS-CLAMP rule 10 destination address '198.51.100.30/32'
+ set policy route IP-MSS-CLAMP rule 10 protocol 'tcp'
+ set policy route IP-MSS-CLAMP rule 10 set tcp-mss '1360'
+ set policy route IP-MSS-CLAMP rule 10 tcp flags 'SYN'
+
+To apply this policy to the correct interface, configure it on the
+interface the inbound local host will send through to reach our
+destined target host (in our example eth1).
+
+.. code-block:: none
+
+ set interfaces ethernet eth1 policy route IP-MSS-CLAMP
+
+You can view that the policy is being correctly (or incorrectly) utilised
+with the following command:
+
+.. code-block:: none
+
+ show policy route statistics