util/linuxfw: fix MSS clamping in nftables mode (#11588)

MSS clamping for nftables was mostly not ran due to to an earlier rule in the FORWARD chain issuing accept verdict. This commit places the clamping rule into a chain of its own to ensure that it gets ran. Updates tailscale/tailscale#11002 Signed-off-by: Irbe Krumina <irbe@tailscale.com>
8 months ago · 92ca770b8d
parent 27038ee3c2
commit 92ca770b8d
1 changed files with 28 additions and 4 deletions
--- a/util/linuxfw/nftables_runner.go
+++ b/util/linuxfw/nftables_runner.go
@ -62,6 +62,11 @@ type nftable struct {
 //   - The table and chain conventions followed here are those used by
 //     `iptables-nft` and `ufw`, so that those tools co-exist and do not
 //     negatively affect Tailscale function.
 //   - Be mindful that 1) all chains attached to a given hook (i.e the forward hook)
 //     will be processed in priority order till either a rule in one of the chains issues a drop verdict
 //     or there are no more chains for that hook
 //     2) processing of individual rules within a chain will stop once one of them issues a final verdict (accept, drop).
 //     https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
 type nftablesRunner struct {
 	conn *nftables.Conn
 	nft4 *nftable
@ -238,6 +243,25 @@ func (n *nftablesRunner) AddSNATRuleForDst(src, dst netip.Addr) error {
 	return n.conn.Flush()
 }
 // ClampMSSToPMTU ensures that all packets with TCP flags (SYN, ACK, RST) set
 // being forwarded via the given interface (tun) have MSS set to <MTU of the
 // interface> - 40 (IP and TCP headers). This can be useful if this tailscale
 // instance is expected to run as a forwarding proxy, forwarding packets from an
 // endpoint with higher MTU in an environment where path MTU discovery is
 // expected to not work (such as the proxies created by the Tailscale Kubernetes
 // operator). ClamMSSToPMTU creates a new base-chain ts-clamp in the filter
 // table with accept policy and priority -150. In practice, this means that for
 // SYN packets the clamp rule in this chain will likely run first and accept the
 // packet. This is fine because 1) nftables run ALL chains with the same hook
 // type unless a rule in one of them drops the packet and 2) this chain does not
 // have functionality to drop the packet- so in practice a matching clamp rule
 // will always be followed by the custom tailscale filtering rules in the other
 // chains attached to the filter hook (FORWARD, ts-forward).
 // We do not want to place the clamping rule into FORWARD/ts-forward chains
 // because wgengine populates those chains with rules that contain accept
 // verdicts that would cause no further procesing within that chain. This
 // functionality is currently invoked from outside wgengine (containerboot), so
 // we don't want to race with wgengine for rule ordering within chains.
 func (n *nftablesRunner) ClampMSSToPMTU(tun string, addr netip.Addr) error {
 	polAccept := nftables.ChainPolicyAccept
 	table := n.getNFTByAddr(addr)
@ -246,13 +270,13 @@ func (n *nftablesRunner) ClampMSSToPMTU(tun string, addr netip.Addr) error {
 		return fmt.Errorf("error ensuring filter table: %w", err)
 	}
-	// ensure forwarding chain exists
+	// ensure ts-clamp chain exists
 	fwChain, err := getOrCreateChain(n.conn, chainInfo{
 		table:         filterTable,
-		name:          "FORWARD",
+		name:          "ts-clamp",
 		chainType:     nftables.ChainTypeFilter,
 		chainHook:     nftables.ChainHookForward,
-		chainPriority: nftables.ChainPriorityFilter,
+		chainPriority: nftables.ChainPriorityMangle,
 		chainPolicy:   &polAccept,
 	})
 	if err != nil {
@ -289,7 +313,7 @@ func (n *nftablesRunner) ClampMSSToPMTU(tun string, addr netip.Addr) error {
 				Xor:            []byte{0x00},
 			},
 			&expr.Cmp{
-				Op:       expr.CmpOpNeq,
+				Op:       expr.CmpOpNeq, // match any packet with a TCP flag set (SYN, ACK, RST)
 				Register: 1,
 				Data:     []byte{0x00},
 			},