Attempting to set a TCP MSS clamp via the firewall options configuration directive currently does not result in a firewall configuration that correctly sets the MSS value. While setting a value and committing appears successful, a glance at the resulting rules:
XT target TCPMSS not found table ip mangle { chain VYOS_FW_OPTIONS { oifname "<ifname>" meta l4proto tcp tcp flags & (syn|rst) == syn counter } }
shows that:
There was an error converting the iptables rules to nftables (XT target TCPMSS not found)A rule to match TCP SYN packets has been added but with no action expression beyond counter (i.e. no MSS clamping)
This is due to Debian Buster (and up)'s use of iptables-nft instead of native iptables, where iptables directives are converted to nftable rules at runtime. The present version of iptables-nft is unable to convert the iptables rule losslessly to a nftables statement, resulting in a actionless statement.
Edit: It seems like the rule works as intended, but due to reasons linked in a comment below, does not show up correctly in nftables. Thus only the overly narrow MSS clamp limit issue described below remains.
In addition to the above, the configuration validation range for TCP MSS is overly narrow, needlessly limiting to 1500 octets (thus no support for >1500 MTUs) on the upper bound, and incorrectly limiting to 1280 octets for IPv6 on the lower bound (TCP MSS values need to be 60 less than the link MTU, which at minimum is 1280, such that a correct minimum MSS clamping value for IPv6 should be 1220).