Hi, after upgrading two of my machines from Debian Stretch to Buster, I experimented a bit with the new nftables firewall backend. Pretty much everything works fine and I couldn't find anything that behaves differently. But on one of the two machines, I get an error when I run `nft list ruleset` which is "XT target TCPMSS not found". I've looked a bit around to see what's different on those two machines and found the configuration option CLAMPMSS=Yes to be the culprit (the machine uses a PPPoE connection). In fact, I tested setting this option in shorewall.conf which causes no issues, but as soon as it's enabled in shorewall6.conf, nft will show the error message. The kernel module seems to be available though. lsmod shows both xt_TCPMSS and xt_tcpmss.
Is this a limitation of ip6tables-nft or should CLAMPMSS=Yes not be used for IPv6 in general? Thanks and regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
