On 9/15/19 2:57 PM, Timo Sigurdsson wrote: > Hi, > > after upgrading two of my machines from Debian Stretch to Buster, I > experimented a bit with the new nftables firewall backend. Pretty much > everything works fine and I couldn't find anything that behaves differently. > But on one of the two machines, I get an error when I run `nft list ruleset` > which is "XT target TCPMSS not found". I've looked a bit around to see what's > different on those two machines and found the configuration option > CLAMPMSS=Yes to be the culprit (the machine uses a PPPoE connection). In > fact, I tested setting this option in shorewall.conf which causes no issues, > but as soon as it's enabled in shorewall6.conf, nft will show the error > message. The kernel module seems to be available though. lsmod shows both > xt_TCPMSS and xt_tcpmss. > > Is this a limitation of ip6tables-nft or should CLAMPMSS=Yes not be used for > IPv6 in general? >
That looks like a bug in nft or in ip6tables-nft; the TCPMSS rule is clearly instantiated, but nft gets confused trying to display it. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
