Page MenuHomeVyOS Platform
Create Task
Maniphest T4709

TCP MSS clamping broken in equuleus
Closed, ResolvedPublicBUG
Actions

Description

Attempting to set a TCP MSS clamp via the firewall options configuration directive currently does not result in a firewall configuration that correctly sets the MSS value. While setting a value and committing appears successful, a glance at the resulting rules:

XT target TCPMSS not found
table ip mangle {
    chain VYOS_FW_OPTIONS {
        oifname "<ifname>" meta l4proto tcp tcp flags & (syn|rst) == syn counter
    }
}

shows that:

  1. There was an error converting the iptables rules to nftables (XT target TCPMSS not found)
  2. A rule to match TCP SYN packets has been added but with no action expression beyond counter (i.e. no MSS clamping)

This is due to Debian Buster (and up)'s use of iptables-nft instead of native iptables, where iptables directives are converted to nftable rules at runtime. The present version of iptables-nft is unable to convert the iptables rule losslessly to a nftables statement, resulting in a actionless statement.

Edit: It seems like the rule works as intended, but due to reasons linked in a comment below, does not show up correctly in nftables. Thus only the overly narrow MSS clamp limit issue described below remains.

In addition to the above, the configuration validation range for TCP MSS is overly narrow, needlessly limiting to 1500 octets (thus no support for >1500 MTUs) on the upper bound, and incorrectly limiting to 1280 octets for IPv6 on the lower bound (TCP MSS values need to be 60 less than the link MTU, which at minimum is 1280, such that a correct minimum MSS clamping value for IPv6 should be 1220).

Details

Difficulty level
Unknown (require assessment)
Version
1.3.2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Related Objects

Mentioned In
1.3.3

Event Timeline

initramfs created this task.Sep 24 2022, 7:43 PM
pasik added a subscriber: pasik.Sep 24 2022, 8:06 PM
initramfs added a comment.Sep 24 2022, 8:15 PM

Relevant PRs:

Tested on Equuleus 1.3.2

initramfs added a comment.Sep 24 2022, 8:28 PM

See https://unix.stackexchange.com/questions/672742/why-mss-clamping-in-iptables-nft-seems-to-take-no-effect-in-nftables for additional explanation why the iptables version do not work under iptables-nft.

initramfs updated the task description. (Show Details)Sep 26 2022, 3:07 AM
initramfs added a comment.Sep 26 2022, 3:10 AM

It seems like I was wrong about the netfilter rule not working as intended (and in my testing the clamp was broken for some other reason that was an error on my part), the post has been edited to only indicate the remaining issue of an overly strict MSS clamping range.

The post above with the stackexchange link describes why the nft rule does not show the full TCP MSS clamp.

c-po added a subscriber: c-po.Dec 11 2022, 7:36 PM

@initramfs can we close this?

c-po moved this task from Need Triage to Backlog on the VyOS 1.3 Equuleus (1.3.3) board.Dec 11 2022, 7:37 PM
initramfs added a comment.EditedDec 13 2022, 12:14 PM

@c-po While I was wrong about the MSS clamp not being applied, the missing clamp-mss-to-pmtu feature and the incorrect MSS limits are both still problems that PR 1557 addresses. I believe we can close this after those issues are addressed.

initramfs closed this task as Resolved.Dec 18 2022, 1:43 PM
initramfs claimed this task.
Viacheslav moved this task from Backlog to Finished on the VyOS 1.3 Equuleus (1.3.3) board.Dec 19 2022, 6:53 AM
dmbaturin mentioned this in 1.3.3.May 19 2023, 1:04 PM