Page MenuHomeVyOS Platform

TCP MSS clamping broken in equuleus
Open, Requires assessmentPublicBUG

Description

Attempting to set a TCP MSS clamp via the firewall options configuration directive currently does not result in a firewall configuration that correctly sets the MSS value. While setting a value and committing appears successful, a glance at the resulting rules:

XT target TCPMSS not found
table ip mangle {
    chain VYOS_FW_OPTIONS {
        oifname "<ifname>" meta l4proto tcp tcp flags & (syn|rst) == syn counter
    }
}

shows that:

  1. There was an error converting the iptables rules to nftables (XT target TCPMSS not found)
  2. A rule to match TCP SYN packets has been added but with no action expression beyond counter (i.e. no MSS clamping)

This is due to Debian Buster (and up)'s use of iptables-nft instead of native iptables, where iptables directives are converted to nftable rules at runtime. The present version of iptables-nft is unable to convert the iptables rule losslessly to a nftables statement, resulting in a actionless statement.

Edit: It seems like the rule works as intended, but due to reasons linked in a comment below, does not show up correctly in nftables. Thus only the overly narrow MSS clamp limit issue described below remains.

In addition to the above, the configuration validation range for TCP MSS is overly narrow, needlessly limiting to 1500 octets (thus no support for >1500 MTUs) on the upper bound, and incorrectly limiting to 1280 octets for IPv6 on the lower bound (TCP MSS values need to be 60 less than the link MTU, which at minimum is 1280, such that a correct minimum MSS clamping value for IPv6 should be 1220).

Details

Difficulty level
Unknown (require assessment)
Version
1.3.2
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

It seems like I was wrong about the netfilter rule not working as intended (and in my testing the clamp was broken for some other reason that was an error on my part), the post has been edited to only indicate the remaining issue of an overly strict MSS clamping range.

The post above with the stackexchange link describes why the nft rule does not show the full TCP MSS clamp.