sn01,leintor: explictly set mss as clamp-to-pmtu is not working (#80)

freifunkh · Sep 13, 2020 · 6a83b64 · 6a83b64
1 parent 9ed8c66
commit 6a83b64
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/roles/ffh.exitnode/templates/ferm.conf.j2 b/roles/ffh.exitnode/templates/ferm.conf.j2
@@ -45,7 +45,10 @@ domain (ip) {
       &PRIV_NET(224.0.0.0/4);
       &PRIV_NET(240.0.0.0/4);
 
-      outerface eth0 proto tcp tcp-flags (SYN RST) SYN TCPMSS clamp-mss-to-pmtu;
+      # https://gluon.readthedocs.io/en/latest/user/faq.html#what-is-a-good-mtu-on-the-mesh-vpn
+      # 1394 (fastd mtu) - 32 (batman header) - 20 (ipv4 header) - 20 (tcp header) = 1322
+      outerface $DEV_EXIT proto tcp tcp-flags (SYN RST) SYN TCPMSS set-mss 1322;
+
       outerface eth0 interface eth0 DROP;
       ACCEPT;
     }
@@ -65,7 +68,10 @@ domain (ip6) {
       &PRIV_NET(fec0::/10);
       &PRIV_NET(ff00::/8);
 
-      outerface eth0 proto tcp tcp-flags (SYN RST) SYN TCPMSS clamp-mss-to-pmtu;
+      # https://gluon.readthedocs.io/en/latest/user/faq.html#what-is-a-good-mtu-on-the-mesh-vpn
+      # 1394 (fastd mtu) - 32 (batman header) - 40 (ipv6 header) - 20 (tcp header) = 1302
+      outerface $DEV_EXIT proto tcp tcp-flags (SYN RST) SYN TCPMSS set-mss 1302;
+
       outerface eth0 interface eth0 DROP;
       ACCEPT;
     }

diff --git a/roles/ffh.superexitnode/templates/ferm-10-exit.conf.j2 b/roles/ffh.superexitnode/templates/ferm-10-exit.conf.j2
@@ -46,7 +46,31 @@ domain (ip ip6) {
       proto tcp dport 25 REJECT reject-with icmp-admin-prohibited;
       proto tcp sport 25 REJECT reject-with icmp-admin-prohibited;
 
-      outerface $DEV_EXIT proto tcp tcp-flags (SYN RST) SYN TCPMSS clamp-mss-to-pmtu;
+    }
+  }
+}
+
+domain (ip) {
+  table filter {
+    chain FORWARD {
+
+      # https://gluon.readthedocs.io/en/latest/user/faq.html#what-is-a-good-mtu-on-the-mesh-vpn
+      # 1394 (fastd mtu) - 32 (batman header) - 20 (ipv4 header) - 20 (tcp header) = 1322
+      outerface $DEV_EXIT proto tcp tcp-flags (SYN RST) SYN TCPMSS set-mss 1322;
+
+      outerface $DEV_EXIT interface $DEV_EXIT DROP;
+      ACCEPT;
+    }
+  }
+}
+
+domain (ip6) {
+  table filter {
+    chain FORWARD {
+
+      # https://gluon.readthedocs.io/en/latest/user/faq.html#what-is-a-good-mtu-on-the-mesh-vpn
+      # 1394 (fastd mtu) - 32 (batman header) - 40 (ipv6 header) - 20 (tcp header) = 1302
+      outerface $DEV_EXIT proto tcp tcp-flags (SYN RST) SYN TCPMSS set-mss 1302;
 
       outerface $DEV_EXIT interface $DEV_EXIT DROP;
       ACCEPT;