Firewall mtu_fix confusion

dturvene · September 27, 2018, 5:56pm

A little long winded...

My confusion is the documentation for the firewall mtu_fix says "Enable MSS
clamping on outgoing zone traffic." This option is a defacto default for the
WAN zone. My initial interpretation is this will force the router to clamp the
TCP Maximum Segment Size on forwarded traffic to/from the LAN-side to a fixed
value. For ethernet this is almost always 1460 (1500 - 20 octet IP header - 20
octet TCP header). Routers do this to prevent IP fragmentation/reassembly as
each packet traverses the Internet.

The mtu_fix firewall option appears to create the following netfilter rule:

iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

This netfilter rule invokes the kernel xt_TCPMSS.c:tcpmss_mangle_packet
function on only TCP SYN packets. The function "clamps" the TCP MSS option to
in the SYN packet. This MSS option advertises to the far-end to
send TCP segments of 1460 or less to prevent IP fragmentation.

The mtu_fix option does not appear to mangle outgoing packets (and I'm not
clear how the router would do that anyway without fragmenting the TCP payload -
which defeats the point of clamping the MSS.) It appears to clamp the MSS
option in the SYN packet to the standard 1460 to tell the far-end (e.g. server)
to send packets with MSS<=1460.

I don't see how mtu_fix mangles any other packets forwarded to the WAN-side.
The IP stack in the originating station will (or should, but all of my test
stations do it) set the outgoing MSS to 1460.

lleachii · September 27, 2018, 7:22pm

Can you provide that link, please?

vgaetera · September 27, 2018, 8:26pm

The logical answer would be that it is only required for SYN-flagged packets and the rest of the sequence will follow that MSS.

dturvene · September 27, 2018, 9:16pm

The page is: https://openwrt.org/docs/guide-user/firewall/firewall_configuration
in the zones section.

dturvene · September 27, 2018, 9:22pm

Well, my interpretation of the tcpmss kernel module, which is enabled by mtu_fix, is that it does not affect outgoing traffic at all.

vgaetera · September 27, 2018, 9:49pm

Let's clarify terms.
The rule in the headpost is only applied to FORWARD-chain that only affects forwarded/transit traffic.
To affect outgoing traffic you should create the rule in OUTPUT-chain.

wrmoon · January 17, 2019, 9:54pm

I added rules like the one below for all my WAN-side interfaces. Fixed problems I was having for router-initiated traffic going out to internet.

iptables -t mangle -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu

Also see this link --> https://www.linuxtopia.org/Linux_Firewall_iptables/x4700.html

shm0 · January 24, 2019, 5:14pm

Does this actually do anything in the output chain?
Processes running on the router will use the wan interface mtu anyway?

system · February 4, 2019, 11:45am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.