nixos-module/container/upstream: move clamp-mss-to-pmtu outa pppoe

2022-09-19 21:43:38 +02:00 · 2022-09-19 21:43:38 +02:00 · 626d8076bb
parent 4d094ae077
commit 626d8076bb
2 changed files with 8 additions and 9 deletions
--- a/nix/nixos-module/container/upstream.nix
+++ b/nix/nixos-module/container/upstream.nix
@ -65,6 +65,14 @@ in
    externalInterface = firstUpstreamInterface;
    externalIP = staticIpv4Address;
    extraCommands = ''
+      # Add workaround for upstreams with wonky MTU
+      iptables -t mangle -A FORWARD \
+        -p tcp --tcp-flags SYN,RST SYN \
+        -j TCPMSS --clamp-mss-to-pmtu
+      ip6tables -t mangle -A FORWARD \
+        -p tcp --tcp-flags SYN,RST SYN \
+        -j TCPMSS --clamp-mss-to-pmtu
+
      # Prohibit SMTP except for servers
      iptables -N fwd_smtp || \
        iptables -F fwd_smtp
--- a/nix/nixos-module/container/upstream/pppoe.nix
+++ b/nix/nixos-module/container/upstream/pppoe.nix
@ -84,13 +84,4 @@ in lib.mkIf (pppoeInterfaces != {}) {
      };
    }) {} (builtins.attrNames pppoeInterfaces);

-  networking.nat.extraCommands = ''
-    iptables -A FORWARD \
-      -p tcp --tcp-flags SYN,RST SYN \
-      -j TCPMSS --clamp-mss-to-pmtu
-    ip6tables -A FORWARD \
-      -p tcp --tcp-flags SYN,RST SYN \
-      -j TCPMSS --clamp-mss-to-pmtu
-  '';
-
 }