Hello!
I need to use TCP MSS Clamp in a output interface and I'm facing a weird behaviour.
I'm using the following related rules:
leonardo@router1# show rule 1 { protocol tcp set { tcp-mss 1420 } tcp { flags SYN } } rule 2 { protocol tcp set { tcp-mss 1420 } tcp { flags SYN,RST } } rule 3 { protocol tcp set { tcp-mss 1420 } tcp { flags SYN,ACK } }
This policy route is being applied to the interface, as can be confirmed using iptables-save:
# Generated by iptables-save v1.4.12.2 on Tue May 23 16:49:42 2017 *mangle :PREROUTING ACCEPT [58274915:15858160997] :INPUT ACCEPT [10940:1633454] :FORWARD ACCEPT [57478793:15745212011] :OUTPUT ACCEPT [10588:3735723] :POSTROUTING ACCEPT [57489373:15748947030] :VYATTA_FW_IN_HOOK - [0:0] :VYATTA_FW_OUT_HOOK - [0:0] :equinix-out - [0:0] -A PREROUTING -j VYATTA_FW_IN_HOOK -A POSTROUTING -j VYATTA_FW_OUT_HOOK -A VYATTA_FW_IN_HOOK -i eth0.112 -j equinix-out -A equinix-out -p tcp -m comment --comment equinix-out-1 -m tcp --tcp-flags SYN SYN -j TCPMSS --set-mss 1420 -A equinix-out -p tcp -m comment --comment equinix-out-2 -m tcp --tcp-flags SYN,RST SYN,RST -j TCPMSS --set-mss 1420 -A equinix-out -p tcp -m comment --comment equinix-out-3 -m tcp --tcp-flags SYN,ACK SYN,ACK -j TCPMSS --set-mss 1420 -A equinix-out -m comment --comment "equinix-out-10000 default-action accept" -j RETURN COMMIT
With this way, an awnser for connection from internet still with MSS==1460, but if I apply the following rule, everything works as expected:
sudo iptables -t mangle -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0.112 -j TCPMSS --set -mss 1420
Resulting:
# Generated by iptables-save v1.4.12.2 on Tue May 23 16:49:42 2017 *mangle :PREROUTING ACCEPT [58274915:15858160997] :INPUT ACCEPT [10940:1633454] :FORWARD ACCEPT [57478793:15745212011] :OUTPUT ACCEPT [10588:3735723] :POSTROUTING ACCEPT [57489373:15748947030] :VYATTA_FW_IN_HOOK - [0:0] :VYATTA_FW_OUT_HOOK - [0:0] :equinix-out - [0:0] -A PREROUTING -j VYATTA_FW_IN_HOOK -A POSTROUTING -o eth0.112 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1420 -A POSTROUTING -j VYATTA_FW_OUT_HOOK -A VYATTA_FW_IN_HOOK -i eth0.112 -j equinix-out -A equinix-out -p tcp -m comment --comment equinix-out-1 -m tcp --tcp-flags SYN SYN -j TCPMSS --set-mss 1420 -A equinix-out -p tcp -m comment --comment equinix-out-2 -m tcp --tcp-flags SYN,RST SYN,RST -j TCPMSS --set-mss 1420 -A equinix-out -p tcp -m comment --comment equinix-out-3 -m tcp --tcp-flags SYN,ACK SYN,ACK -j TCPMSS --set-mss 1420 -A equinix-out -m comment --comment "equinix-out-10000 default-action accept" -j RETURN COMMIT
So I tried to found a way to set the tcp flags as "SYN,RST SYN", but there is no option in VyOS allowing this, creating the argument pairing automatically from "tcp flags" statement.
Its possible to create a parameter in tcp flags statement to allow create a custom pair of mask/activeflags?
System version:
leonardo@router1:~$ show version Version: VyOS 1.1.7 Description: VyOS 1.1.7 (helium) Copyright: 2016 VyOS maintainers and contributors Built by: [email protected] Built on: Wed Feb 17 09:57:31 UTC 2016 Build ID: 1602170957-4459750 System type: x86 64-bit Boot via: image HW model: X10SLM-F HW S/N: 0123456789 HW UUID: 00000000-0000-0000-0000-0CC47A4A59C0 Uptime: 16:54:53 up 42 min, 3 users, load average: 0.03, 0.15, 0.20
Thanks!