Firewall mtu_fix confusion

A little long winded...

My confusion is the documentation for the firewall mtu_fix says "Enable MSS
clamping on outgoing zone traffic." This option is a defacto default for the
WAN zone. My initial interpretation is this will force the router to clamp the
TCP Maximum Segment Size on forwarded traffic to/from the LAN-side to a fixed
value. For ethernet this is almost always 1460 (1500 - 20 octet IP header - 20
octet TCP header). Routers do this to prevent IP fragmentation/reassembly as
each packet traverses the Internet.

The mtu_fix firewall option appears to create the following netfilter rule:

iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

This netfilter rule invokes the kernel xt_TCPMSS.c:tcpmss_mangle_packet
function on only TCP SYN packets. The function "clamps" the TCP MSS option to
in the SYN packet. This MSS option advertises to the far-end to
send TCP segments of 1460 or less to prevent IP fragmentation.

The mtu_fix option does not appear to mangle outgoing packets (and I'm not
clear how the router would do that anyway without fragmenting the TCP payload -
which defeats the point of clamping the MSS.) It appears to clamp the MSS
option in the SYN packet to the standard 1460 to tell the far-end (e.g. server)
to send packets with MSS<=1460.

I don't see how mtu_fix mangles any other packets forwarded to the WAN-side.
The IP stack in the originating station will (or should, but all of my test
stations do it) set the outgoing MSS to 1460.

Can you provide that link, please?

The logical answer would be that it is only required for SYN-flagged packets and the rest of the sequence will follow that MSS.

1 Like

The page is: https://openwrt.org/docs/guide-user/firewall/firewall_configuration
in the zones section.

Well, my interpretation of the tcpmss kernel module, which is enabled by mtu_fix, is that it does not affect outgoing traffic at all.

Let's clarify terms.
The rule in the headpost is only applied to FORWARD-chain that only affects forwarded/transit traffic.
To affect outgoing traffic you should create the rule in OUTPUT-chain.

I added rules like the one below for all my WAN-side interfaces. Fixed problems I was having for router-initiated traffic going out to internet.

iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu

Also see this link --> https://www.linuxtopia.org/Linux_Firewall_iptables/x4700.html

Does this actually do anything in the output chain?
Processes running on the router will use the wan interface mtu anyway?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.