[FS#3231] firewall3: mtu_fix should apply mss clamping for both outgoing and incoming syn packets

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Mon Jul 13 07:14:08 EDT 2020 

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Stanislav German-Evtushenko (giner) 

Attached to Project - OpenWrt/LEDE Project
Summary - firewall3: mtu_fix should apply mss clamping for both outgoing and incoming syn packets
Task Type - Bug Report
Category - Packages
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - TL;DR When mtu_fix is enabled mss side is only altered for incoming traffic but not outgoing. This affects clients with pmtu disabled. 

The issue is quite difficult to reproduce as it requires specific conditions however it happens in real setups quite regularly.

The conditions are bellow:
- OpenWrt router working in "router" mode with IPv4 traffic NATed towards Internet
- Upstream is connected by means of something that has reduced MTU (PPPoE, DS-LITE, etc)
- mtu_fix is applied to WAN interfaces

The issue:
- MSS from a client towards a server in the internet is not reduced to fit reduced MTU if the client has PMTU disabled (one example of such a client - LineageOS 16.x). As a result the packets of maximums MSS towards the server will be dropped.

Solution:
- Enable mss clamping form incoming SYN packets on the interface with mtu_fix enabled

iptables without the fix:

# iptables-save -t mangle | grep clamp
-A FORWARD -o ds-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu


iptables with the fix:

iptables-save -t mangle | grep clamp
-A FORWARD -o ds-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i ds-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu


TCP session initiation without the fix (WAN mtu is 1452):

# tcpdump -ni wlan0 "(tcp[tcpflags] & (tcp-syn) != 0) and (host www.twitter.com)"
11:05:25.531925 IP 192.168.1.141.35040 > 104.244.42.129.80: Flags [S], seq 2878102236, win 64240, options [mss 1460,sackOK,TS val 2138517727 ecr 0,nop,wscale 7], length 0
11:05:25.536034 IP 104.244.42.129.80 > 192.168.1.141.35040: Flags [S.], seq 180174328, ack 2878102237, win 28960, options [mss 1420,sackOK,TS val 2685758451 ecr 2138517727,nop,wscale 8], length 0


Note ** *mss 1420* ** in the syn packet towards the client. This make the client consider 1420 being the maximum possible mss however of the client tries to send such a packet with DF flag set it will be **silently** dropped.

TCP session initiation the fix (WAN mtu is 1452):

# tcpdump -ni wlan0 "(tcp[tcpflags] & (tcp-syn) != 0) and (host www.twitter.com)"
11:02:42.062918 IP 192.168.1.141.34954 > 104.244.42.129.80: Flags [S], seq 4079972940, win 64240, options [mss 1460,sackOK,TS val 2138354260 ecr 0,nop,wscale 7], length 0
11:02:42.067116 IP 104.244.42.129.80 > 192.168.1.141.34954: Flags [S.], seq 416388380, ack 4079972941, win 28960, options [mss 1412,sackOK,TS val 920483133 ecr 2138354260,nop,wscale 8], length 0


Note ** *mss 1412* ** in the syn packet towards the client. This is a real maximum for mss.

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=3231

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.

More information about the openwrt-bugs mailing list