Set-mss in iptables not modifying mss in TCP packet

sloppytypist · 12-15-2016, 03:44 PM

Hi,

I cant get iptables to adjust mss in Openwrt.

I need to set all packets exiting to set mss to 1360. I had to turn off pmtu discovery so the auto clamping is not an option. The exit interface is from the gretap tunnel is eth0.3. The packets come into GRETAP interface that is a striongswan radius assigned VIP. So gretap > br0 > eth0.3. So when they exit eth0.3 the GRETAP encapsulation should be gone. I added rules to both mangle FORWARD and POSTROUTING and nothing.

root@Need-Config:/etc# iptables -S -v -t mangle
-P PREROUTING ACCEPT -c 18366 7184558
-P INPUT ACCEPT -c 16635 7056183
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 4750 611121
-P POSTROUTING ACCEPT -c 4750 611121
-A FORWARD -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1360
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1360
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o br-br0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -c 0 0 -j TCPMSS --set-mss 1360
-A POSTROUTING -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -c 0 0 -j TCPMSS --set-mss 1360
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -c 0 0 -j TCPMSS --set-mss 1360
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1360
-A POSTROUTING -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1360
root@Need-Config:/etc#

I cant get the packets to hit my rules:

root@Need-Config:/etc# iptables -L -v -t mangle
Chain PREROUTING (policy ACCEPT 12207 packets, 4281K bytes)
pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 10895 packets, 4199K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any eth0.3 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1360
0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1360
0 0 TCPMSS tcp -- any eth0.2 anywhere anywhere tcp flags:SYN,RST/SYN /* !fw3: wan (mtu_fix) */ TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- any usb0 anywhere anywhere tcp flags:SYN,RST/SYN /* !fw3: wan (mtu_fix) */ TCPMSS clamp to PMTU

Chain OUTPUT (policy ACCEPT 3880 packets, 535K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 3880 packets, 535K bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any br-br0 anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS set 1360
0 0 TCPMSS tcp -- any eth0.3 anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS set 1360
0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST,ACK/SYN TCPMSS set 1360
0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1360
0 0 TCPMSS tcp -- any eth0.3 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS set 1360
root@Need-Config:/etc#

I confirmed with Wireshark that the mss is not being modified as I was expecting.

Any help would be appreciated. I really dont want to remove the DF bit. Thanks.

CB

lazydog · 12-16-2016, 12:52 PM

Ok, I'm thinking your rules are not matching the packets thus nothing nothing is being altered. Have you tried to remove the Flag settings from your rules since you state "I need to set all packets exiting to set mss to 1360". If you need all packets then the Flag setting should not matter.

sloppytypist · 12-16-2016, 01:58 PM

Hi Robert,

Here's what I figured out since last night. If I remove the -o flag, set a policy rule, I get further. While my rule gets hits, sadly it does not mangle the mss:

root@Need-Config:/etc# iptables -t mangle -S -v
-P PREROUTING ACCEPT -c 2347 1589909
-P INPUT ACCEPT -c 2306 1586734
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 2003 559362
-P POSTROUTING ACCEPT -c 0 0
-A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1340
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -c 24 1440 -j TCPMSS --set-mss 1340 <--Rule is hit, but does not mangle the tcp mss value on exit
-A POSTROUTING -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1340
-A POSTROUTING -o eth0.2 -c 22435 5712270 -j ACCEPT
-A POSTROUTING -o gre-gretap_NAT1 -c 0 0 -j ACCEPT
-A POSTROUTING -o br-lan -c 3715 559360 -j ACCEPT
-A POSTROUTING -o tap0 -c 0 0 -j ACCEPT
-A POSTROUTING -o eth0.1 -c 0 0 -j ACCEPT
-A POSTROUTING -o lo -c 486 80333 -j ACCEPT
-A POSTROUTING -o eth0.3 -c 0 0 -j ACCEPT
-A POSTROUTING -o br-br0 -c 0 0 -j ACCEPT
-A POSTROUTING -o eth0 -c 2427 116496 -j ACCEPT
root@Need-Config:/etc#

Below is a connection to craigslist from the local client of 10.105.0.200. As you can see, the mss is not 1340, though this rule, "-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -c 24 1440 -j TCPMSS --set-mss 1340" is being hit.

208.82.237.146.443 > 10.105.0.200.52548: Flags [S.], cksum 0xc92a (correct), seq 1367988955, ack 1299286265, win 8192, options [mss 1460,sackOK,eol], length 0
19:49:12.907690 IP (tos 0x0, ttl 128, id 5805, offset 0, flags [DF], proto TCP (6), length 40)

Not sure why it's not hitting the traffic on eth0.3, but I can come back to that later likely. Thanks.

Chris

lazydog · 12-16-2016, 02:27 PM

Try changing your rule to something like this;

Code:

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0.3 -j TCPMSS --set-mss 1340

sloppytypist · 12-16-2016, 03:29 PM

No go I'm afraid.

I put in two rules:

iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0.3 -j TCPMSS --set-mss 1340
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1340

root@Need-Config:/etc# iptables -S -v -t mangle
-P PREROUTING ACCEPT -c 8700 4127458
-P INPUT ACCEPT -c 7599 3954100
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 6730 1153074
-P POSTROUTING ACCEPT -c 6730 1153074
-A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -o usb0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -c 0 0 -j TCPMSS --clamp-mss-to-pmtu
-A POSTROUTING -o eth0.3 -p tcp -m tcp --tcp-flags SYN,RST SYN -c 0 0 -j TCPMSS --set-mss 1340
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN -c 90 5400 -j TCPMSS --set-mss 1340

The eth0.3 rule gets zero hits and the chain policy rule gets hits but does not modify the mss.

Chris

sloppytypist · 12-16-2016, 08:43 PM

I did some testing on a couple of Mikrotiks which use iptables/nf. I setup one operating in layer 3 and one operating in L2, bridging ports as my setup is on the current devices. The set-mss did not work in bridge mode. iptables just ignored the packets. I wonder if a packet needs to be L3 routed instead of L2 forwarded for IP tables to adjust the mss? Perhaps?

Chris

lazydog · 12-19-2016, 08:54 AM

In bridge mode they should be hitting the FORWARD rule set.