Page MenuHomeVyOS Platform

need an option for route policy to apply to dynamic interfaces l2tp*/ipoe*/pppoe* (for TCP MSS setting)
Closed, ResolvedPublicFEATURE REQUEST

Description

When creating route(6) policy you cant apply it to dynamic interfaces like pppoe* or l2tp*. This is needed to set TCP MSS on dynamic interfaces for example.
The problem raises when two pppoe or l2tp subscribers talk to each other - we need to clamp TCP MSS but there is no way to configure this.
My current workaround looks like this:

First we need to create route policy to get the rule chain VYOS_PBR_POSTROUTING within rule "ip mangle" created

config
set policy route l2tp-tcp-mss rule 100 protocol 'tcp'
set policy route l2tp-tcp-mss rule 100 set tcp-mss '1300'
set policy route l2tp-tcp-mss rule 100 tcp flags syn
commit
save
exit

Then we do TCP MSS change within that rule

sudo nft add rule ip mangle VYOS_PBR_POSTROUTING 'oifname "l2tp*" tcp flags & syn == syn counter tcp option maxseg size set 1300'

There is a need for an option to set interface mask for policy route:
set interfaces pppoe pppoe* policy route <policy name>
set interfaces ipoe ipoe* policy route <policy name>
set interfaces l2tp l2tp* policy route <policy name>

Thank you,
Alexander

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

aserkin updated the task description. (Show Details)
aserkin updated the task description. (Show Details)
aserkin updated the task description. (Show Details)

Does it do the same?

set firewall interface l2tp* out name 'FOO'
set firewall name FOO rule 10 action 'accept'
set firewall name FOO rule 10 protocol 'tcp'
set firewall name FOO rule 10 tcp flags syn
set firewall name FOO rule 10 tcp mss '1300'

nft

table ip vyos_filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		oifname "l2tp*" counter packets 0 bytes 0 jump NAME_FOO
		jump VYOS_POST_FW
	}
...
	chain NAME_FOO {
		tcp flags & syn == syn tcp option maxseg size 1300 counter packets 0 bytes 0 return comment "FOO-10"
		counter packets 0 bytes 0 drop comment "FOO default-action drop"
	}
}

There's no

set firewall interface

option here:
admin@vyos-lns-1:~$ show version
Version: VyOS 1.4-rolling-202209131208

admin@vyos-lns-1# set firewall interface l2tp* out name 'l2tp-tcp-mss'

  Configuration path: firewall [interface] is not valid
  Set failed

@aserkin . Viacheslav commands are present in more recent nighly builds.
Try with one of the latests images.

Oops. Thank you Nicolas.
Suddenly found myself far behind the current rolling release. Will upgrade first.

The firewall settings does not seem to catch the traffic going out of l2tp* interfaces.

admin@vyos-lns-1:~$ show config commands |grep firewall
set firewall interface l2tp* out name 'nodefw'
set firewall log-martians 'disable'
set firewall name nodefw rule 100 action 'accept'
set firewall name nodefw rule 100 protocol 'tcp'
set firewall name nodefw rule 100 tcp flags syn
set firewall name nodefw rule 100 tcp mss '1300'

admin@vyos-lns-1:~$ sudo nft list table ip vyos_filter
table ip vyos_filter {
    chain VYOS_FW_FORWARD {
            type filter hook forward priority filter; policy accept;
            oifname "l2tp*" counter packets 0 bytes 0 jump NAME_nodefw
            jump VYOS_POST_FW
    }
...
    chain NAME_nodefw {
            tcp flags & syn == syn tcp option maxseg size 1300 **counter packets 0 bytes 0** return comment "nodefw-100"
            counter packets 0 bytes 0 drop comment "nodefw default-action drop"
    }

and tcpdump shows tcp mss 1456 going out of l2tp0:

root@vyos-lns-1:~# tcpdump -i l2tp0 -vvvv
tcpdump: listening on l2tp0, link-type LINUX_SLL (Linux cooked v1), snapshot length 262144 bytes
13:37:59.926891 IP (tos 0x10, ttl 63, id 6590, offset 0, flags [DF], proto TCP (6), length 60)
    10.111.1.4.34734 > 192.168.101.10.http: Flags [S], cksum 0x2e65 (correct), seq 4161148866, win 65520, options [**mss 1456**,sackOK,TS val 2754325653 ecr 0,nop,wscale 7], length 0

@aserkin Thanks
Do l2tp clients in the network 192.168.101.x ? And you are trying to connect to some web resource behind l2tp?

Yes they are. 192.168.101.10 - is an ip of vpn remote access subscriber. He's connected to interface l2tp0 (accel-ppp). And i'm just trying to open tcp connection to port 80 on client from peer node.

Viacheslav claimed this task.
vyos@r4# set policy route fo interface l2tp*