Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update [email protected] with PMTUD support #3

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update [email protected] with PMTUD support #3

wants to merge 1 commit into from

Conversation

bencorrado
Copy link

I was seeing failures for routing large packets where the auto negotiation by PMTUD would normally cause the MSS to be adjusted for the overhead. With the rules in allow ICMP was blocked by the firewall rules, so there was no PMTUD happening. This opens the right connections for ICMP to allow PMTUD to negotiate the packet sizes.

@bencorrado
Update [email protected] with PMTUD support
bbe8928 
I was seeing failures for routing large packets where the auto negotiation by PMTUD would normally cause the MSS to be adjusted for the overhead.  With the rules in allow ICMP was blocked by the firewall rules, so there was no PMTUD happening.  This opens the right connections for ICMP to allow PMTUD to negotiate the packet sizes.
@fernandoenzo
Copy link
Owner

Hi! Thank you very much for taking the time to use my project, for your feedback, and for wanting to contribute. However, I think your pull request is not necessary because after carefully analyzing the existing firewall rules:

Looking at Tailgate's implementation:

  1. The tailgate chain only connects to outgoing traffic through:
iptables -I OUTPUT -j tailgate
  1. And within that chain, the only restrictive rule is:
iptables -A tailgate -p udp --sport $PORT -j DROP

This rule specifically:

  • Only affects UDP traffic (-p udp)
  • Only the source port used by Tailscale (--sport $PORT)
  • And then there's an exception to allow that UDP traffic through the specific interface

Therefore, the rules you're proposing are unnecessary since:

  • ICMP traffic flows freely without needing specific rules, as it's not affected by Tailgate's rules
  • TCP MSS clamping might be useful in general, but has nothing to do with Tailgate's operation since TCP traffic isn't affected either
  • The cleanup rules are consequently unnecessary as well, as they're cleaning up rules that aren't needed in the first place

Tailgate's original rules are specifically designed to force Tailscale's UDP traffic to exit only through a specific interface, without affecting any other type of traffic. Therefore, while I appreciate your contribution, adding these rules would unnecessarily complicate the service without providing any benefit to its operation.

Of course, if you think I'm wrong and want to explain to me the reasons why I should incorporate your lines into the project, I'm all ears. Otherwise, I could suggest that you incorporate your rules into a separate systemd unit, independent of Tailgate, to handle the use case you propose.

Thank you again for your interest in improving the project!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bencorrado @fernandoenzo