mirror of
https://github.com/tailscale/tailscale.git
synced 2026-06-23 23:41:41 -04:00
6a275c01db
ClampMSSToPMTU only added a rule matching the output interface (-o tun / OIFNAME), which clamps the SYN forwarded out towards the tailnet peer but not the SYN-ACK that arrives on tun and is forwarded back towards the originating endpoint. As a result only one side of a forwarded handshake had its MSS clamped; the endpoint on the other side of the proxy kept advertising an MSS based on its own (larger) MTU. When path MTU discovery is broken (e.g. proxies created by the Tailscale Kubernetes operator, where tailscale0 has a 1280 MTU), the unclamped endpoint's large segments exceed the tun MTU and are silently dropped, causing TCP connections through proxy group pods to stall mid-stream on large payloads. The earlier proxy-group fix (#19686) wired ClampMSSToPMTU into the HA code paths but inherited this single-direction limitation, so connections could still hang. Add a second rule matching the input interface (-i tun / IIFNAME) in both the iptables and nftables runners so both directions of the forwarded handshake negotiate a PMTU-safe MSS. Updates #19812 Signed-off-by: Samy Djemaï <53857555+SamyDjemai@users.noreply.github.com>