Page MenuHomeVyOS Platform
Create Task
Maniphest T5797

MSS Clamping Not Applied to VRF Interface from MPLS Cloud
Closed, ResolvedPublicBUG
Actions

Description

It seems as though MSS clamping is not being done in the case of an interface inside a VRF, and coming out of a MPLS cloud.

Traffic coming from the VRF, and destined to go into the MPLS cloud, is being clamped.

Interface config

ethernet eth0 {
    description "To TEST-CR-1"
    mtu 1450
}
ethernet eth1 {
    description "To TEST-CR-3"
    mtu 1450
}
ethernet eth2 {
    address xxx.xxx.31.169/24
    description CORE-NET
    hw-id xx:xx:xx:xx:xx:a1
    ip {
        adjust-mss 1300
    }
    mtu 9000
    vrf INTERNET
}
loopback lo {
    address xxx.xxx.2.2/32
}
macsec macsec0 {
    address xxx.xxx.12.1/30
    ip {
        adjust-mss 1300
    }
    mtu 1400
    security {
        cipher gcm-aes-256
        encrypt
        static {
            key xxxxxx
            peer TEST-CR-1 {
                key xxxxxx
                mac xx:xx:xx:xx:xx:de
            }
        }
    }
    source-interface eth0
}
macsec macsec1 {
    address xxx.xxx.23.1/30
    ip {
        adjust-mss 1300
    }
    mtu 1400
    security {
        cipher gcm-aes-256
        encrypt
        static {
            key xxxxxx
            peer TEST-CR-2 {
                key xxxxxx
                mac xx:xx:xx:xx:xx:de
            }
        }
    }
    source-interface eth1
}

nft rule

table ip raw {
        chain VYOS_TCP_MSS {
                type filter hook forward priority raw; policy accept;
                oifname "eth2" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300
                oifname "macsec1" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300
                oifname "macsec0" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300
        }

tcpdump of external interface

21:35:44.861147 bc:24:11:cf:36:a1 > a6:e1:1a:ef:ec:be, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 62, id 333, offset 0, flags [DF], proto TCP (6), length 60)
     10.0.31.169.33608 > 52.149.246.39.443: Flags [S], cksum 0x5b1b (correct), seq 1944170184, win 64240, options [mss 1460,sackOK,TS val 1477811659 ecr 0,nop,wscale 7], length 0
21:35:44.899297 a6:e1:1a:ef:ec:be > bc:24:11:cf:36:a1, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    52.149.246.39.443 > 10.0.31.169.33608: Flags [S.], cksum 0x681c (correct), seq 1738005423, ack 1944170185, win 43440, options [mss 1460,sackOK,TS val 2107081551 ecr 1477811659,nop,wscale 7], length 0

Protocols config

bgp {
    neighbor xxx.xxx.12.12 {
        address-family {
            ipv4-vpn {
                nexthop-self {
                }
            }
        }
        remote-as XXXXXX
        update-source lo
    }
    neighbor xxx.xxx.32.32 {
        address-family {
            ipv4-vpn {
                nexthop-self {
                }
            }
        }
        remote-as XXXXXX
        update-source lo
    }
    parameters {
        router-id xxx.xxx.2.2
    }
    system-as 65001
}
mpls {
    interface macsec0
    interface macsec1
    ldp {
        discovery {
            transport-ipv4-address xxx.xxx.2.2
        }
        interface macsec0
        interface macsec1
        interface lo
        router-id xxx.xxx.2.2
    }
    parameters {
        no-propagate-ttl
    }
}
ospf {
    area 0 {
        network xxx.xxx.2.2/32
        network xxx.xxx.12.0/30
        network xxx.xxx.23.0/30
    }
    interface lo {
        passive {
        }
    }
    interface macsec0 {
    }
    interface macsec1 {
    }
}

VRF config

protocols {
    bgp {
        address-family {
            ipv4-unicast {
                export {
                    vpn
                }
                import {
                    vpn
                }
                label {
                    vpn {
                        export auto
                    }
                }
                rd {
                    vpn {
                        export xxx.xxx.2.2:1
                    }
                }
                redistribute {
                    static {
                    }
                }
                route-target {
                    vpn {
                        export xxx.xxx.2.2:1
                        import 65001:1
                    }
                }
            }
        }
        parameters {
            router-id xxx.xxx.2.2
        }
        system-as 65001
    }
    ospf {
        area 0 {
            network xxx.xxx.31.0/24
        }
    }
    static {
        route xxx.xxx.0.0/0 {
            next-hop xxx.xxx.31.241 {
            }
        }
    }
}
table 150

Details

Version
VyOS 1.5-rolling-202312010026
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

giga1699 created this task.Dec 3 2023, 9:52 PM
pasik subscribed.Dec 3 2023, 10:13 PM
giga1699 added a comment.Dec 3 2023, 11:43 PM

Adding trace, and monitoring, shows that the rule is never being hit.

oifname "eth2" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300 meta nftrace set 1 # handle 7
giga1699 added a comment.Dec 3 2023, 11:53 PM

tcpdump of internal MPLS interface during initial connection

23:51:06.518839 0a:e5:ec:30:0f:bb > a6:d4:24:a0:05:de, ethertype MPLS unicast (0x8847), length 103: MPLS (label 18, tc 0, ttl 255)
        (label 16, tc 0, [S], ttl 255)
        (tos 0x0, ttl 62, id 40636, offset 0, flags [none], proto UDP (17), length 81)
    10.0.17.11.53 > 10.10.10.6.44935: [udp sum ok] 46737 q: A? duck.com. 1/0/1 duck.com. [10s] A 40.89.244.232 ar: . OPT UDPsize=1232 (53)
23:51:06.522132 a6:d4:24:a0:05:de > 0a:e5:ec:30:0f:bb, ethertype MPLS unicast (0x8847), length 78: MPLS (label 80, tc 0, [S], ttl 63)
        (tos 0x0, ttl 63, id 20337, offset 0, flags [DF], proto TCP (6), length 60)
    10.10.10.6.49068 > 40.89.244.232.443: Flags [S], cksum 0xbba7 (correct), seq 3442740659, win 64240, options [mss 1460,sackOK,TS val 1084719903 ecr 0,nop,wscale 7], length 0
23:51:06.565968 0a:e5:ec:30:0f:bb > a6:d4:24:a0:05:de, ethertype MPLS unicast (0x8847), length 82: MPLS (label 18, tc 0, ttl 255)
        (label 16, tc 0, [S], ttl 255)
        (tos 0x0, ttl 49, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    40.89.244.232.443 > 10.10.10.6.49068: Flags [S.], cksum 0x20fe (correct), seq 3795538799, ack 3442740660, win 43440, options [mss 1300,sackOK,TS val 4207328262 ecr 1084719903,nop,wscale 7], length 0
23:51:06.569007 a6:d4:24:a0:05:de > 0a:e5:ec:30:0f:bb, ethertype MPLS unicast (0x8847), length 70: MPLS (label 80, tc 0, [S], ttl 63)
        (tos 0x0, ttl 63, id 20338, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.6.49068 > 40.89.244.232.443: Flags [.], cksum 0xf6b6 (correct), seq 1, ack 1, win 502, options [nop,nop,TS val 1084719949 ecr 4207328262], length 0
23:51:06.569007 a6:d4:24:a0:05:de > 0a:e5:ec:30:0f:bb, ethertype MPLS unicast (0x8847), length 472: MPLS (label 80, tc 0, [S], ttl 63)
        (tos 0x0, ttl 63, id 20339, offset 0, flags [DF], proto TCP (6), length 454)
    10.10.10.6.49068 > 40.89.244.232.443: Flags [P.], cksum 0x5441 (correct), seq 1:403, ack 1, win 502, options [nop,nop,TS val 1084719950 ecr 4207328262], length 402
23:51:06.612358 0a:e5:ec:30:0f:bb > a6:d4:24:a0:05:de, ethertype MPLS unicast (0x8847), length 74: MPLS (label 18, tc 0, ttl 255)
        (label 16, tc 0, [S], ttl 255)
        (tos 0x0, ttl 49, id 1361, offset 0, flags [DF], proto TCP (6), length 52)
    40.89.244.232.443 > 10.10.10.6.49068: Flags [.], cksum 0xf599 (correct), seq 1, ack 403, win 337, options [nop,nop,TS val 4207328309 ecr 1084719950], length 0
Viacheslav triaged this task as Normal priority.Jan 20 2024, 1:58 PM
marekm subscribed.Jul 12 2024, 10:23 PM

Hmmm... nothing before today in this task seems related to ddclient at all, isn't this task referenced by mistake?
BTW, does anyone know what happened that Debian un-released ddcilent 3.10.0-3 (reverted to 3.10.0-2.1)?

c-po subscribed.Jul 13 2024, 3:08 PM
In T5797#195193, @marekm wrote:

Hmmm... nothing before today in this task seems related to ddclient at all, isn't this task referenced by mistake?
BTW, does anyone know what happened that Debian un-released ddcilent 3.10.0-3 (reverted to 3.10.0-2.1)?

Sorry, typo in the commit message with a mixed up task ID.

Unknown why Debian un-released that version - but we bumped it to Debians latest package - we only used the Debian build tools in the past and code from Upstream, that changed with this commit.

dmbaturin added a project: Bugs.Sep 15 2024, 5:03 PM
syncer edited projects, added VyOS Rolling; removed VyOS 1.5 Circinus.Oct 30 2024, 9:42 PM
syncer moved this task from Need Triage to Backlog - Bug on the VyOS Rolling board.
syncer added a subscriber: Global Notifications.Nov 1 2024, 9:19 PM
giga1699 added a comment.Jul 14 2025, 11:56 PM

Looking at this again, and it seems like if the nft rule is moved from forward hook to postrouting hook that MSS is adjusted appropriately.

Would there be an issue moving all MSS rules to postrouting?

fernando subscribed.Jul 15 2025, 1:08 AM
giga1699 claimed this task.Jul 17 2025, 1:41 AM

PR 4609 submitted to adjust MSS clamping from forward hook to postrouting.

Viacheslav subscribed.Jul 21 2025, 9:47 AM

PR https://github.com/vyos/vyos-1x/pull/4609

giga1699 mentioned this in rVYOSONEXf3d6b9aa369e: T5797: Adjust MSS from forward hook to postrouting.Jul 24 2025, 2:23 PM
Restricted Repository Identity mentioned this in rVYOSONEXe1cf4d112561: Merge pull request #4609 from giga1699/T5797.Jul 24 2025, 2:23 PM
dmbaturin closed this task as Resolved.Jul 31 2025, 12:23 AM
dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.4), VyOS 1.5 Circinus (1.5-stream-2025-Q3); removed Bugs.
dmbaturin changed Is it a breaking change? from Behavior change to Perfectly compatible.
dmbaturin moved this task from Backlog to Finished on the VyOS 1.4 Sagitta (1.4.4) board.
dmbaturin moved this task from Open to Finished on the VyOS 1.5 Circinus (1.5-stream-2025-Q3) board.
dmbaturin moved this task from Backlog - Bug to Completed on the VyOS Rolling board.
dmbaturin edited projects, added VyOS 1.5 Circinus (2025.11); removed VyOS 1.5 Circinus (1.5-stream-2025-Q3), VyOS 1.4 Sagitta (1.4.4), VyOS Rolling.Thu, Nov 13, 2:17 AM