From bbcaaa58b61f1e648f51df1d0deb0b0d7bc71352 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= <lauri@pinecrypt.com>
Date: Fri, 25 Jun 2021 18:20:06 +0000
Subject: [PATCH] Add MSS clamping option

---
 firewall.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/firewall.py b/firewall.py
index 4ebd677..ec5fc8f 100755
--- a/firewall.py
+++ b/firewall.py
@@ -11,6 +11,7 @@ FQDN = socket.getfqdn()
 DEBUG = os.getenv("DEBUG")
 DISABLE_MASQUERADE = os.getenv("DISABLE_MASQUERADE")
 MONGO_URI = os.getenv("MONGO_URI")
+TCP_MSS_CLAMPING = int(os.getenv("TCP_MSS_CLAMPING", "1452"))
 mongo_uri = pymongo.uri_parser.parse_uri(MONGO_URI)
 
 ALLOW_MONGO_REPLICA_TRAFFIC = False
@@ -71,6 +72,12 @@ def generate_firewall_rules(disabled=False):
     yield "-A OUTPUT -j ACCEPT"
     yield "COMMIT"
 
+    yield "*mangle"
+    yield "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN " \
+        "-m tcpmss --mss %d:1536 -j TCPMSS --set-mss %d " \
+        "-m comment --comment \"MSS clamping\"" % (TCP_MSS_CLAMPING+1, TCP_MSS_CLAMPING)
+    yield "COMMIT"
+
     yield "*nat"
     yield ":PREROUTING ACCEPT [0:0]"
     if disabled: