Hi Tom, Tom Eastep schrieb am 16.09.2019 00:18 (GMT +02:00):
> On 9/15/19 2:57 PM, Timo Sigurdsson wrote: >> Hi, >> >> after upgrading two of my machines from Debian Stretch to Buster, I >> experimented a bit with the new nftables firewall backend. Pretty much >> everything works fine and I couldn't find anything that behaves differently. >> But on one of the two machines, I get an error when I run `nft list ruleset` >> which is "XT target TCPMSS not found". I've looked a bit around to see what's >> different on those two machines and found the configuration option >> CLAMPMSS=Yes to be the culprit (the machine uses a PPPoE connection). In >> fact, >> I tested setting this option in shorewall.conf which causes no issues, but as >> soon as it's enabled in shorewall6.conf, nft will show the error message. The >> kernel module seems to be available though. lsmod shows both xt_TCPMSS and >> xt_tcpmss. >> >> Is this a limitation of ip6tables-nft or should CLAMPMSS=Yes not be used for >> IPv6 in general? >> > > That looks like a bug in nft or in ip6tables-nft; the TCPMSS rule is > clearly instantiated, but nft gets confused trying to display it. > Thanks again. I took this to netfilter mailing list now: https://marc.info/?l=netfilter-devel&m=156893611703723&w=2 Regards, Timo _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
