From 54515eb744b4db6797ec289883eb925847215cb2 Mon Sep 17 00:00:00 2001
From: Niklas Yann Wettengel <niyawe@niyawe.de>
Date: Wed, 7 Mar 2018 01:17:55 +0100
Subject: [PATCH] clamp mtu

---
 roles/configure_iptables/templates/ip6tables.rules | 6 ++++++
 roles/configure_iptables/templates/iptables.rules  | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/roles/configure_iptables/templates/ip6tables.rules b/roles/configure_iptables/templates/ip6tables.rules
index 054946c..5bb058c 100644
--- a/roles/configure_iptables/templates/ip6tables.rules
+++ b/roles/configure_iptables/templates/ip6tables.rules
@@ -83,6 +83,12 @@ COMMIT
 {% endfor %}
 {% endif %}
 -A FORWARD -o {{ ansible_default_ipv6.interface }} -j REJECT
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in ffrl_peers %}
+iptables -A FORWARD -i {{ peer.name }} -d 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+iptables -A FORWARD -o {{ peer.name }} -s 2a03:2260:1016::/48 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+{% endfor %}
+{% endif %}
 COMMIT
 *nat
 :PREROUTING ACCEPT [0:0]
diff --git a/roles/configure_iptables/templates/iptables.rules b/roles/configure_iptables/templates/iptables.rules
index 3519924..3c750f9 100644
--- a/roles/configure_iptables/templates/iptables.rules
+++ b/roles/configure_iptables/templates/iptables.rules
@@ -69,6 +69,12 @@ COMMIT
 {% endfor %}
 {% endif %}
 -A FORWARD -o {{ ansible_default_ipv4.interface }} -j REJECT
+{% if 'ffrl_uplink' in group_names %}
+{% for peer in ffrl_peers %}
+iptables -A FORWARD -i {{ peer.name }} -d 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+iptables -A FORWARD -o {{ peer.name }} -s 10.222.0.0/16 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+{% endfor %}
+{% endif %}
 
 COMMIT
 *nat