Page MenuHomeVyOS Platform

Remove broken MSS-clamping old command
Closed, InvalidPublic

Description

Apparently, the old way of doing MSS-Clamping through PBR is broken (an example here).

Now it is done with

set firewall options interface <interface> adjust-mss|adjust-mss6 <number-of-bytes>

However, the old way is still configurable through CLI.

As it does not work now, it should be removed.

Details

Difficulty level
Unknown (require assessment)
Version
1.2.x ; 1.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

Unknown Object (User) created this task.Sep 17 2020, 11:46 AM

It use different directions

set interfaces ethernet eth0 policy route 'MSS-POLICY'
set policy route MSS-POLICY description 'TCPMSS clamping'
set policy route MSS-POLICY rule 100 protocol 'tcp'
set policy route MSS-POLICY rule 100 set tcp-mss '1452'
set policy route MSS-POLICY rule 100 tcp flags 'SYN'

set firewall options interface eth0 adjust-mss '1222'

If the first case is used table mangle and an input direction, in other - output.

-A MSS-POLICY -p tcp -m comment --comment MSS-POLICY-100 -m tcp --tcp-flags SYN SYN -j TCPMSS --set-mss 1452
-A MSS-POLICY -m comment --comment "MSS-POLICY-10000 default-action accept" -j RETURN
-A VYATTA_FW_IN_HOOK -i eth0 -j MSS-POLICY

-A VYOS_FW_OPTIONS -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1222