I wanted to add mss clamping with /etc/firewall.user:
nft add table ip filter
nft add chain ip filter forward { type filter hook forward priority 0 \; }
nft add rule ip filter forward oifname wg_* tcp flags syn tcp option maxseg size set 1352
nft add rule ip filter forward iifname wg_* tcp flags syn tcp option maxseg size set 1352
nft add table ip6 filter
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add rule ip6 filter forward oifname wg_* tcp flags syn tcp option maxseg size set 1372
nft add rule ip6 filter forward iifname wg_* tcp flags syn tcp option maxseg size set 1372
However, nft list tables does not show any new tables. Is firewall.user no longer included?
I want something like this:
# https://wiki.nftables.org/wiki-nftables/index.php/Mangling_packet_headers
nft add table ip filter
nft add chain ip filter forward { type filter hook forward priority 0 \; }
nft add rule ip filter forward oifname wg_* tcp flags syn tcp option maxseg size set 1352
nft add rule ip filter forward iifname wg_* tcp flags syn tcp option maxseg size set 1352
nft add table ip6 filter
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add rule ip6 filter forward oifname wg_* tcp flags syn tcp option maxseg size set 1372
nft add rule ip6 filter forward iifname wg_* tcp flags syn tcp option maxseg size set 1372
I can add chain rules in /etc/nftables.d. However, they are both merged into inet/fw4. How can I differentiate between ip4 and ip6?
jow
March 1, 2022, 8:27am
4
Why don't you want to merge those rules? There is no useful reason at all to have separate ip/ip6 tables.
root@er-x:~# cat /etc/nftables.d/20-wg-maxseg-size.nft
chain wg_maxseg {
type filter hook forward priority 0;
oifname wg_* tcp flags syn tcp option maxseg size set 1372
iifname wg_* tcp flags syn tcp option maxseg size set 1372
}
2 Likes
Since there were different values assigned for IPv4 and IPv6 packets, maybe this is a good use for a map:
oifname "wg_*" tcp flags syn tcp option maxseg size set meta nfproto map { ipv4 : 1352, ipv6 : 1372 }
iifname "wg_*" tcp flags syn tcp option maxseg size set meta nfproto map { ipv4 : 1352, ipv6 : 1372 }
3 Likes
Thanks to all of you!
I am very unexperienced and I was on the same direction. I did:
meta nfproto ipv4 oifname "wg_*" tcp flags syn tcp option maxseg size set 1352
meta nfproto ipv4 iifname "wg_*" tcp flags syn tcp option maxseg size set 1352
meta nfproto ipv6 oifname "wg_*" tcp flags syn tcp option maxseg size set 1372
meta nfproto ipv6 iifname "wg_*" tcp flags syn tcp option maxseg size set 1372
However, your solution is much better!!!
system
March 11, 2022, 2:27pm
8
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
