ffh.exitnode: add MTU fix for QUIC

This commit creates a dummy interface with the "bottleneck" MTU among our VPN path (currently batadv - see issue #80). Furthermore it creates an iptables DNAT rule which changes the destination IP address of incoming QUIC (UDP 443) packets which exceed the bottleneck MTU to a special IPv4 continuity address which is part of the subnet of the dummy interface. When an oversized QUIC packet arrives, it will thus be routed to the dummy interface which in turn generates an ICMP destination unreachable (fragmentation needed) packet as the packet does not fit the MTU of the dummy interface. The QUIC servers will react to the ICMP packet by changing the PMTU of their UDP sockets according to the maximum MTU advertised in the ICMP message, which is the dummy interface's MTU.
freifunkh · Jan 17, 2021 · 393e2a5 · 393e2a5
1 parent 6518b2b
commit 393e2a5
Show file tree

Hide file tree

Showing 7 changed files with 35 additions and 2 deletions.
diff --git a/roles/ffh.exitnode/files/mtudummy.netdev b/roles/ffh.exitnode/files/mtudummy.netdev
@@ -0,0 +1,5 @@
+[NetDev]
+Name=mtudummy
+Kind=dummy
+MTUBytes=1298
+
diff --git a/roles/ffh.exitnode/files/mtudummy.network b/roles/ffh.exitnode/files/mtudummy.network
@@ -0,0 +1,5 @@
+[Match]
+Name=mtudummy
+
+[Network]
+Address=192.0.0.2/29
diff --git a/roles/ffh.exitnode/templates/rc.local.j2 → roles/ffh.exitnode/files/rc.local b/roles/ffh.exitnode/templates/rc.local.j2 → roles/ffh.exitnode/files/rc.local
diff --git a/roles/ffh.exitnode/tasks/main.yml b/roles/ffh.exitnode/tasks/main.yml
@@ -1,5 +1,8 @@
 ---
 
+- name: MTU workaround
+  include_tasks: mtudummy.yml
+
 - name: GRE stuff
   include_tasks: gre.yml
 

diff --git a/roles/ffh.exitnode/tasks/mtudummy.yml b/roles/ffh.exitnode/tasks/mtudummy.yml
@@ -0,0 +1,13 @@
+---
+
+- name: Create mtudummy.network
+  notify: Restart networkd
+  copy:
+    src: mtudummy.network
+    dest: /etc/systemd/network/10-mtudummy.network
+
+- name: Create mtudummy.netdev
+  notify: Restart networkd
+  copy:
+    src: mtudummy.netdev
+    dest: /etc/systemd/network/10-mtudummy.netdev
diff --git a/roles/ffh.exitnode/tasks/routing.yml b/roles/ffh.exitnode/tasks/routing.yml
@@ -5,8 +5,8 @@
 
 - name: Deploy /etc/rc.local
   register: rclocal
-  template:
-    src: rc.local.j2
+  copy:
+    src: rc.local
     dest: /etc/rc.local
     mode: u=rwx,g=rx,o=rx
 

diff --git a/roles/ffh.exitnode/templates/ferm.conf.j2 b/roles/ffh.exitnode/templates/ferm.conf.j2
@@ -13,6 +13,12 @@
 
 domain (ip) {
   table nat {
+    chain PREROUTING {
+      # Route QUIC UDP packets which would exceed our MTU to the "mtudummy" interface
+      # to generate ICMP "too big" messages which trigger PMTU on the other side
+      interface eth0 proto udp sport 443 mod length length 1299:1500 DNAT to 192.0.0.1;
+    }
+
     chain POSTROUTING {
       # Alternativly to MASQUERADE use SNAT to <addr>;
       saddr 10.0.0.0/8 outerface eth0 MASQUERADE;
@@ -86,6 +92,7 @@ domain (ip6) {
 domain (ip ip6) {
   table filter {
     chain FORWARD {
+      interface eth0 outerface mtudummy ACCEPT;
 {% for name,node in supernodes.items() %}
       interface eth0 outerface gre-{{ name }} ACCEPT;
       interface gre-{{ name }} outerface eth0 ACCEPT;