From f05567cbce6fc6bd25d7db761c01aeddd79424cc Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Fri, 3 Feb 2023 00:41:40 +0100
Subject: [PATCH] hosts/carbon: enable mss clamping

---
 hosts/carbon/configuration.nix | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/hosts/carbon/configuration.nix b/hosts/carbon/configuration.nix
index 5aa260a..86b7586 100644
--- a/hosts/carbon/configuration.nix
+++ b/hosts/carbon/configuration.nix
@@ -243,11 +243,15 @@
   networking.firewall.allowedUDPPorts = [ 53 ];
   networking.firewall.allowedTCPPorts = [ 53 ];
 
-  networking.firewall.extraCommands = ''
-    ip46tables -A FORWARD -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
-    ip46tables -A FORWARD -i enp1s0.202 -j DROP
-    ip46tables -A FORWARD -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT
-    ip46tables -A FORWARD -o enp1s0.202 -j DROP
+  clerie.firewall.enable = true;
+  clerie.firewall.extraForwardFilterCommands = ''
+    ip46tables -A forward-filter -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
+    ip46tables -A forward-filter -i enp1s0.202 -j DROP
+    ip46tables -A forward-filter -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT
+    ip46tables -A forward-filter -o enp1s0.202 -j DROP
+  '';
+  clerie.firewall.extraForwardMangleCommands = ''
+    ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
   '';
 
   services.pppd = {