Firewall mtu_fix confusion


#1

A little long winded...

My confusion is the documentation for the firewall mtu_fix says "Enable MSS
clamping on outgoing zone traffic." This option is a defacto default for the
WAN zone. My initial interpretation is this will force the router to clamp the
TCP Maximum Segment Size on forwarded traffic to/from the LAN-side to a fixed
value. For ethernet this is almost always 1460 (1500 - 20 octet IP header - 20
octet TCP header). Routers do this to prevent IP fragmentation/reassembly as
each packet traverses the Internet.

The mtu_fix firewall option appears to create the following netfilter rule:

iptables -t mangle -A FORWARD -p tcp -o eth1 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu

This netfilter rule invokes the kernel xt_TCPMSS.c:tcpmss_mangle_packet
function on only TCP SYN packets. The function "clamps" the TCP MSS option to
in the SYN packet. This MSS option advertises to the far-end to
send TCP segments of 1460 or less to prevent IP fragmentation.

The mtu_fix option does not appear to mangle outgoing packets (and I'm not
clear how the router would do that anyway without fragmenting the TCP payload -
which defeats the point of clamping the MSS.) It appears to clamp the MSS
option in the SYN packet to the standard 1460 to tell the far-end (e.g. server)
to send packets with MSS<=1460.

I don't see how mtu_fix mangles any other packets forwarded to the WAN-side.
The IP stack in the originating station will (or should, but all of my test
stations do it) set the outgoing MSS to 1460.


#2

Can you provide that link, please?


#3

The logical answer would be that it is only required for SYN-flagged packets and the rest of the sequence will follow that MSS.


#4

The page is: https://openwrt.org/docs/guide-user/firewall/firewall_configuration
in the zones section.


#5

Well, my interpretation of the tcpmss kernel module, which is enabled by mtu_fix, is that it does not affect outgoing traffic at all.


#6

Let's clarify terms.
The rule in the headpost is only applied to FORWARD-chain that only affects forwarded/transit traffic.
To affect outgoing traffic you should create the rule in OUTPUT-chain.