Skip to content

Update tailgate-allow@.service with PMTUD support#3

Open
bencorrado wants to merge 1 commit intofernandoenzo:masterfrom
bencorrado:patch-1
Open

Update tailgate-allow@.service with PMTUD support#3
bencorrado wants to merge 1 commit intofernandoenzo:masterfrom
bencorrado:patch-1

Conversation

@bencorrado
Copy link

@bencorrado bencorrado commented Nov 26, 2024

I was seeing failures for routing large packets where the auto negotiation by PMTUD would normally cause the MSS to be adjusted for the overhead. With the rules in allow ICMP was blocked by the firewall rules, so there was no PMTUD happening. This opens the right connections for ICMP to allow PMTUD to negotiate the packet sizes.

@bencorrado
Update tailgate-allow@.service with PMTUD support
bbe8928 
I was seeing failures for routing large packets where the auto negotiation by PMTUD would normally cause the MSS to be adjusted for the overhead.  With the rules in allow ICMP was blocked by the firewall rules, so there was no PMTUD happening.  This opens the right connections for ICMP to allow PMTUD to negotiate the packet sizes.
@fernandoenzo
Copy link
Owner

fernandoenzo commented Nov 26, 2024

Hi! Thank you very much for taking the time to use my project, for your feedback, and for wanting to contribute. However, I think your pull request is not necessary because after carefully analyzing the existing firewall rules:

Looking at Tailgate's implementation:

  1. The tailgate chain only connects to outgoing traffic through:
iptables -I OUTPUT -j tailgate
  1. And within that chain, the only restrictive rule is:
iptables -A tailgate -p udp --sport $PORT -j DROP

This rule specifically:

  • Only affects UDP traffic (-p udp)
  • Only the source port used by Tailscale (--sport $PORT)
  • And then there's an exception to allow that UDP traffic through the specific interface

Therefore, the rules you're proposing are unnecessary since:

  • ICMP traffic flows freely without needing specific rules, as it's not affected by Tailgate's rules
  • TCP MSS clamping might be useful in general, but has nothing to do with Tailgate's operation since TCP traffic isn't affected either
  • The cleanup rules are consequently unnecessary as well, as they're cleaning up rules that aren't needed in the first place

Tailgate's original rules are specifically designed to force Tailscale's UDP traffic to exit only through a specific interface, without affecting any other type of traffic. Therefore, while I appreciate your contribution, adding these rules would unnecessarily complicate the service without providing any benefit to its operation.

Of course, if you think I'm wrong and want to explain to me the reasons why I should incorporate your lines into the project, I'm all ears. Otherwise, I could suggest that you incorporate your rules into a separate systemd unit, independent of Tailgate, to handle the use case you propose.

Thank you again for your interest in improving the project!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bencorrado @fernandoenzo