Page MenuHomePhabricator

Better support for tcp-mss
Closed, DuplicatePublicENHANCEMENT

Description

I have VyOS-1.1.7 router with ipsec tunnel(s) and vlan(s) and I have problem with forwarding bigger packets (well-known mtu/tcp-mss problem).

I need to setup tcp-mss option for connections incoming from ipsec tunnel and outgoing to vlan.

I tried that:

set policy route mss rule 5 protocol 'tcp'
set policy route mss rule 5 set tcp-mss '1366'
set policy route mss rule 5 tcp flags 'SYN'
set interfaces ethernet eth0 vif 10 policy route 'mss'

It works, but only in one direction (vlan -> ipsec). I checked iptables rules and found that:

Chain VYATTA_FW_IN_HOOK (1 references)
pkts bytes target     prot opt in     out     source               destination         
273K  501M mss        all  --  eth0.10 *       0.0.0.0/0            0.0.0.0/0

I checked manually added iptable rules: similar with "-o eth0.10" instead of "-i eth0.10" works, rule added to filter/FORWARD chain also works.

It is impossible to add policy to vti interface, it is impossible to add policy for ethernet/vlan interface for outgoing traffic.

Details

Difficulty level
Easy (less than an hour)
Version
1.1.7
Why the issue appeared?
Will be filled on close

Event Timeline

Kielek created this task.Apr 20 2016, 9:37 AM
syncer assigned this task to c-po.Jun 10 2018, 4:27 AM
syncer added a project: VyOS 1.2 Crux.
syncer added a subscriber: syncer.

We may want to extend this

pasik added a subscriber: pasik.Oct 1 2018, 9:51 AM
syncer reassigned this task from c-po to dmbaturin.Oct 20 2018, 4:33 AM
syncer added a subscriber: c-po.
syncer changed the subtype of this task from "Task" to "Enhancement".Oct 20 2018, 4:49 AM

Would also like to see this available for Wireguard interfaces as I'm hitting this when using PBR/NATing.

If we are planning firewall overhaul, the old design issues should not get in the way. It's planned for 1.3 though

dmbaturin set Why the issue appeared? to Will be filled on close.