From bbe89287cb0da5146a3aeecfbb353a3ae8b3b6de Mon Sep 17 00:00:00 2001
From: Ben Corrado <bencorrado@gmail.com>
Date: Tue, 26 Nov 2024 00:45:27 -0800
Subject: [PATCH] Update tailgate-allow@.service with PMTUD support

I was seeing failures for routing large packets where the auto negotiation by PMTUD would normally cause the MSS to be adjusted for the overhead.  With the rules in allow ICMP was blocked by the firewall rules, so there was no PMTUD happening.  This opens the right connections for ICMP to allow PMTUD to negotiate the packet sizes.
---
 systemd/tailgate-allow@.service | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/systemd/tailgate-allow@.service b/systemd/tailgate-allow@.service
index 000216f..71703aa 100644
--- a/systemd/tailgate-allow@.service
+++ b/systemd/tailgate-allow@.service
@@ -17,6 +17,17 @@ ExecStartPre=/bin/sh -c 'INTERFACE=%i; PORT=$(cat /run/tailgate-%i.port); \
                          iptables -C tailgate -o $INTERFACE -p udp --sport $PORT -j ACCEPT > /dev/null 2>&1 || \
                          iptables -I tailgate -o $INTERFACE -p udp --sport $PORT -j ACCEPT'
 
+# Allow Essential ICMP Traffic for PMTUD
+ExecStartPre=/bin/sh -c 'iptables -I OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT'
+ExecStartPre=/bin/sh -c 'iptables -I OUTPUT -p icmp --icmp-type echo-request -j ACCEPT'
+ExecStartPre=/bin/sh -c 'iptables -I OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT'
+ExecStartPre=/bin/sh -c 'iptables -I INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT'
+ExecStartPre=/bin/sh -c 'iptables -I INPUT -p icmp --icmp-type echo-request -j ACCEPT'
+ExecStartPre=/bin/sh -c 'iptables -I INPUT -p icmp --icmp-type echo-reply -j ACCEPT'
+
+# Implement MSS Clamping
+ExecStartPre=/bin/sh -c 'iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu'
+
 ExecStart=/bin/sh -c 'REAL_PORT=$(cat /run/tailgate-%i.port); rm /run/tailgate-%i.port; \
                       if [ "$REAL_PORT" -eq 41641 ]; then exit 0; fi; \
                       while true; do PORT=$(ss -lunp4 | awk "/tailscale/ {split(\\$4, arr, \\":\\"); print arr[2]}"); \
@@ -34,6 +45,16 @@ ExecStopPost=-/bin/sh -c '{ [ $(iptables -L tailgate 2>/dev/null | wc -l) -le 2
                           iptables -D OUTPUT -j tailgate && \
                           iptables -X tailgate; } || true'
 
+# Cleanup ICMP and MSS Clamping Rules on Service Stop
+ExecStopPost=-/bin/sh -c 'iptables -D OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT || true'
+ExecStopPost=-/bin/sh -c 'iptables -D OUTPUT -p icmp --icmp-type echo-request -j ACCEPT || true'
+ExecStopPost=-/bin/sh -c 'iptables -D OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT || true'
+ExecStopPost=-/bin/sh -c 'iptables -D INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT || true'
+ExecStopPost=-/bin/sh -c 'iptables -D INPUT -p icmp --icmp-type echo-request -j ACCEPT || true'
+ExecStopPost=-/bin/sh -c 'iptables -D INPUT -p icmp --icmp-type echo-reply -j ACCEPT || true'
+
+ExecStopPost=-/bin/sh -c 'iptables -t mangle -D FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu || true'
+
 Type=oneshot
 Restart=on-failure
 RemainAfterExit=yes