From 0d497d0e077bfb27b0460c8a6104f37c21228a22 Mon Sep 17 00:00:00 2001 From: chayleaf Date: Mon, 14 Aug 2023 05:50:48 +0700 Subject: [PATCH] mss clamp in both directions... maybe? --- system/hosts/router/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/system/hosts/router/default.nix b/system/hosts/router/default.nix index e7e0538..0d5abfd 100644 --- a/system/hosts/router/default.nix +++ b/system/hosts/router/default.nix @@ -588,10 +588,10 @@ in { [(is.eq ether.daddr cfg.vacuumMac) (is.ne ip6.saddr (cidr netCidrs.lan6)) (is.ne ip6.saddr "@allow_iot6") (log "iot6/d ") drop] # MSS clamping - since VPN reduces max MTU # We only do this for the first packet in a connection, which should be enough - [(is.eq meta.iifname "br0") (is.eq meta.nfproto (f: f.ipv4)) (is.eq meta.mark vpn_table) - (is.gt tcpOpt.maxseg.size vpn_ipv4_mss) (mangle tcpOpt.maxseg.size vpn_ipv4_mss)] - [(is.eq meta.iifname "br0") (is.eq meta.nfproto (f: f.ipv6)) (is.eq meta.mark vpn_table) - (is.gt tcpOpt.maxseg.size vpn_ipv6_mss) (mangle tcpOpt.maxseg.size vpn_ipv6_mss)] + [(is.eq meta.nfproto (f: f.ipv4)) (is.eq meta.mark vpn_table) (is.gt tcpOpt.maxseg.size vpn_ipv4_mss) + (mangle tcpOpt.maxseg.size vpn_ipv4_mss)] + [(is.eq meta.nfproto (f: f.ipv6)) (is.eq meta.mark vpn_table) (is.gt tcpOpt.maxseg.size vpn_ipv6_mss) + (mangle tcpOpt.maxseg.size vpn_ipv6_mss)] # warn about dns requests to foreign servers # TODO: check back and see if I should forcefully redirect DNS requests from certain IPs to router [(is.eq meta.iifname "br0") (is.ne ip.daddr (netAddresses.lan4)) (is.eq ip.protocol (f: set [ f.tcp f.udp ]))