clamp mtu

2 files changed, 12 insertions, 0 deletions

diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules
index 054946c..5bb058c 100644
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@@ -83,6 +83,12 @@ COMMIT
 {% endfor %}
 {% endif %}
 -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in ffrl_peers %}
+iptables -A FORWARD -i {{ peer.name }} -d 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+iptables -A FORWARD -o {{ peer.name }} -s 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+{% endfor %}
+{% endif %}
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules
index 3519924..3c750f9 100644
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@@ -69,6 +69,12 @@ COMMIT
 {% endfor %}
 {% endif %}
 -A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in ffrl_peers %}
+iptables -A FORWARD -i {{ peer.name }} -d 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+iptables -A FORWARD -o {{ peer.name }} -s 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+{% endfor %}
+{% endif %}
 
 COMMIT
 *nat