Page MenuHomePhabricator

Policy route pmtu option fail
Closed, ResolvedPublicBUG

Description

If you try to create a policy route in order to use to auto MSS-CLAMPING on a PPPoE connection (or other interfaces) using the option tcp-mss pmtu you obtain an iptables error

for example the rule
set policy route PPPOE_CLAMPING rule 10 protocol tcp
set policy route PPPOE_CLAMPING rule 10 tcp flags SYN
set policy route PPPOE_CLAMPING rule 10 set tcp-mss pmtu

please can you fix it? Because pmtu option is very usefull...

Details

Difficulty level
Normal (likely a few hours)
Version
1.2.0-rc1

Related Objects

afics added a subscriber: afics.Aug 10 2016, 6:43 PM

Can you please post the corresponding iptables error?

from "commit"

[ policy route PPPOE_CLAMPING ]
iptables: Invalid argument. Run `dmesg' for more information.
Use of uninitialized value $rule_strs[1] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 734.
Use of uninitialized value $rule_strs[2] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 734.
Use of uninitialized value $rule_strs[3] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 734.
Use of uninitialized value $rule_strs[4] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 734.
Use of uninitialized value $rule_strs[5] in join or string at /opt/vyatta/sbin/vyatta-firewall.pl line 734.
iptables error: No such file or directory - -m comment --comment "PPPOE_CLAMPING-10" -p tcp -m tcp --tcp-flags SYN SYN -m iprange ! --dst-range 192.168.20.0-192.168.30.255 -j TCPMSS --clamp-mss-to-pmtu at /opt/vyatta/sbin/vyatta-firewall.pl line 734.

[[policy route PPPOE_CLAMPING]] failed

Commit failed

from dmesg:
xt_TCPMSS: path-MTU clamping only supported in FORWARD, OUTPUT and POSTROUTING hooks

syncer added a subscriber: VyOS 1.2.x.
Tania added a subscriber: Tania.Nov 5 2017, 9:11 PM
Tania removed a subscriber: Tania.
dmbaturin edited projects, added VyOS 1.2.x (VyOS 1.2.0-rc3); removed VyOS 1.2.x.
dmbaturin set Version to 1.2.0-rc1.
syncer changed the subtype of this task from "Task" to "Bug".Oct 18 2018, 5:52 AM

It appears to work now:

dmbaturin@vyos# show policy ro
route      route-map  
[edit]
dmbaturin@vyos# show policy route
 route FOO {
     rule 10 {
         protocol tcp
         set {
             tcp-mss pmtu
         }
         tcp {
             flags SYN
         }
     }
 }


dmbaturin@vyos# sudo iptables -L FOO -nv -t mangle 
Chain FOO (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* FOO-10 */ tcp flags:0x02/0x02 TCPMSS clamp to PMTU
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* FOO-10000 default-action accept */

Perhaps iptables finally added support for clamping to PMTU for the mangle table (it used to be only available in filter FORWARD).