From 4669e7f7d54ec559793a5bcc3bdce2d5829ee81d Mon Sep 17 00:00:00 2001
From: Maisem Ali <maisem@tailscale.com>
Date: Wed, 20 Sep 2023 10:59:13 -0700
Subject: [PATCH] cmd/containerboot: add iptables based MSS clamping for
 ingress/egress proxies

In typical k8s setups, the MTU configured on the eth0 interfaces is typically 1500 which
results in packets being dropped when they make it to proxy pods as the tailscale0 interface
has a 1280 MTU.

As the primary use of this functionality is TCP, add iptables based MSS clamping to allow
connectivity.

Updates #502

Signed-off-by: Maisem Ali <maisem@tailscale.com>
---
 cmd/containerboot/main.go      | 13 +++++++++++++
 cmd/containerboot/main_test.go |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/cmd/containerboot/main.go b/cmd/containerboot/main.go
index 3676db02c..893495063 100644
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -696,6 +696,13 @@ func installEgressForwardingRule(ctx context.Context, dstStr string, tsIPs []net
 	if err := cmdSNAT.Run(); err != nil {
 		return fmt.Errorf("setting up SNAT via iptables failed: %w", err)
 	}
+
+	cmdClamp := exec.CommandContext(ctx, argv0, "-t", "mangle", "-A", "FORWARD", "-o", "tailscale0", "-p", "tcp", "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
+	cmdClamp.Stdout = os.Stdout
+	cmdClamp.Stderr = os.Stderr
+	if err := cmdClamp.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
 	return nil
 }
 
@@ -731,6 +738,12 @@ func installIngressForwardingRule(ctx context.Context, dstStr string, tsIPs []ne
 	if err := cmd.Run(); err != nil {
 		return fmt.Errorf("executing iptables failed: %w", err)
 	}
+	cmdClamp := exec.CommandContext(ctx, argv0, "-t", "mangle", "-A", "FORWARD", "-o", "tailscale0", "-p", "tcp", "-m", "tcp", "--tcp-flags", "SYN,RST", "SYN", "-j", "TCPMSS", "--clamp-mss-to-pmtu")
+	cmdClamp.Stdout = os.Stdout
+	cmdClamp.Stderr = os.Stderr
+	if err := cmdClamp.Run(); err != nil {
+		return fmt.Errorf("executing iptables failed: %w", err)
+	}
 	return nil
 }
 
diff --git a/cmd/containerboot/main_test.go b/cmd/containerboot/main_test.go
index e1353a8e6..67f75a4b3 100644
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -330,6 +330,7 @@ func TestContainerBoot(t *testing.T) {
 					WantCmds: []string{
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
 						"/usr/bin/iptables -t nat -I PREROUTING 1 -d 100.64.0.1 -j DNAT --to-destination 1.2.3.4",
+						"/usr/bin/iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu",
 					},
 				},
 			},
@@ -354,6 +355,7 @@ func TestContainerBoot(t *testing.T) {
 						"/usr/bin/tailscale --socket=/tmp/tailscaled.sock set --accept-dns=false",
 						"/usr/bin/iptables -t nat -I PREROUTING 1 ! -i tailscale0 -j DNAT --to-destination 100.99.99.99",
 						"/usr/bin/iptables -t nat -I POSTROUTING 1 --destination 100.99.99.99 -j SNAT --to-source 100.64.0.1",
+						"/usr/bin/iptables -t mangle -A FORWARD -o tailscale0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu",
 					},
 				},
 			},