It seems as though MSS clamping is not being done in the case of an interface inside a VRF, and coming out of a MPLS cloud.
Traffic coming from the VRF, and destined to go into the MPLS cloud, is being clamped.
Interface config
ethernet eth0 { description "To TEST-CR-1" mtu 1450 } ethernet eth1 { description "To TEST-CR-3" mtu 1450 } ethernet eth2 { address xxx.xxx.31.169/24 description CORE-NET hw-id xx:xx:xx:xx:xx:a1 ip { adjust-mss 1300 } mtu 9000 vrf INTERNET } loopback lo { address xxx.xxx.2.2/32 } macsec macsec0 { address xxx.xxx.12.1/30 ip { adjust-mss 1300 } mtu 1400 security { cipher gcm-aes-256 encrypt static { key xxxxxx peer TEST-CR-1 { key xxxxxx mac xx:xx:xx:xx:xx:de } } } source-interface eth0 } macsec macsec1 { address xxx.xxx.23.1/30 ip { adjust-mss 1300 } mtu 1400 security { cipher gcm-aes-256 encrypt static { key xxxxxx peer TEST-CR-2 { key xxxxxx mac xx:xx:xx:xx:xx:de } } } source-interface eth1 }
nft rule
table ip raw { chain VYOS_TCP_MSS { type filter hook forward priority raw; policy accept; oifname "eth2" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300 oifname "macsec1" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300 oifname "macsec0" tcp flags syn / syn,rst tcp option maxseg size 1301-65535 tcp option maxseg size set 1300 }
tcpdump of external interface
21:35:44.861147 bc:24:11:cf:36:a1 > a6:e1:1a:ef:ec:be, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 62, id 333, offset 0, flags [DF], proto TCP (6), length 60) 10.0.31.169.33608 > 52.149.246.39.443: Flags [S], cksum 0x5b1b (correct), seq 1944170184, win 64240, options [mss 1460,sackOK,TS val 1477811659 ecr 0,nop,wscale 7], length 0 21:35:44.899297 a6:e1:1a:ef:ec:be > bc:24:11:cf:36:a1, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 60) 52.149.246.39.443 > 10.0.31.169.33608: Flags [S.], cksum 0x681c (correct), seq 1738005423, ack 1944170185, win 43440, options [mss 1460,sackOK,TS val 2107081551 ecr 1477811659,nop,wscale 7], length 0
Protocols config
bgp { neighbor xxx.xxx.12.12 { address-family { ipv4-vpn { nexthop-self { } } } remote-as XXXXXX update-source lo } neighbor xxx.xxx.32.32 { address-family { ipv4-vpn { nexthop-self { } } } remote-as XXXXXX update-source lo } parameters { router-id xxx.xxx.2.2 } system-as 65001 } mpls { interface macsec0 interface macsec1 ldp { discovery { transport-ipv4-address xxx.xxx.2.2 } interface macsec0 interface macsec1 interface lo router-id xxx.xxx.2.2 } parameters { no-propagate-ttl } } ospf { area 0 { network xxx.xxx.2.2/32 network xxx.xxx.12.0/30 network xxx.xxx.23.0/30 } interface lo { passive { } } interface macsec0 { } interface macsec1 { } }
VRF config
protocols { bgp { address-family { ipv4-unicast { export { vpn } import { vpn } label { vpn { export auto } } rd { vpn { export xxx.xxx.2.2:1 } } redistribute { static { } } route-target { vpn { export xxx.xxx.2.2:1 import 65001:1 } } } } parameters { router-id xxx.xxx.2.2 } system-as 65001 } ospf { area 0 { network xxx.xxx.31.0/24 } } static { route xxx.xxx.0.0/0 { next-hop xxx.xxx.31.241 { } } } } table 150