防火墙nftables初探,ipv4和ipv6双栈
前一段时间,投诉电信一直不给家里千兆宽带分配ipv6地址,反复几个来回后,终于拿到ipv6地址。于是开始在软路由上设置ipv6,折腾软路由过程中,正好利用这个机会,研究了一下nftables这个iptables的替代者。
初步体验就是nftables优势明显,语句灵活,真香。附上我的nftables防火墙设置,互相学习,请高手指点。
flush ruleset
define DEV_LAN = eth1
define DEV_WAN = ppp0
define DEV_MODEM = eth0
define IP_MODEM = 192.168.0.11
define IPTV_VLAN85 = eth0.85
define IPTV_VLAN51 = eth0.51
define GUEST_LAN = { 192.168.4.0/24 }
define IOT_LAN = { 192.168.5.0/24 }
define HOME_LAN = { 192.168.10.0/24 }
define LAN_SET = {
$GUEST_LAN,
$IOT_LAN,
$HOME_LAN
}
table inet global {
flowtable f {
hook ingress priority 0; devices = { $DEV_LAN, $DEV_MODEM };
}
chain inbound_wan {
icmp type { echo-reply, echo-request } limit rate 50/second burst 100 packets counter accept \
comment "Allow-ping-from-WAN"
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,# type 1
packet-too-big,# type 2
time-exceeded,# type 3
parameter-problem,# type 4
echo-request,# type 128
echo-reply,# type 129
} limit rate 50/second burst 100 packets counter accept \
comment "Accept basic IPv6 functionality"
}
chain inbound_lan {
icmp type { echo-reply, echo-request } accept
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,# type 1
packet-too-big,# type 2
time-exceeded,# type 3
parameter-problem,# type 4
echo-request,# type 128
echo-reply,# type 129
} accept
# allow DNS, NTP and SSH from the private network
meta l4proto . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 123 : accept }
ip saddr $HOME_LAN tcp dport 22 accept
}
chain inbound {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit,# type 133
nd-router-advert,# type 134
nd-neighbor-solicit,# type 135
nd-neighbor-advert,# type 136
} ip6 hoplimit 255 accept \
comment "Allow IPv6 SLAAC"
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query,# type 130
mld-listener-report,# type 131
mld-listener-reduction,# type 132
mld-listener-report,# type 131
mld-listener-reduction,# type 132
mld2-listener-report,# type 143
} ip6 saddr fe80::/10 accept \
comment "Allow IPv6 multicast listener discovery on link-local"
meta nfproto ipv6 udp sport 547 udp dport 546 accept \
comment "Accept DHCPv6 replies from IPv6 link-local addresses"
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WAN : jump inbound_wan, $DEV_LAN : jump inbound_lan }
# the rest will be dropped
}
chain outbound {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
meta l4proto { tcp, udp } flow offload @f
counter
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
iifname $DEV_WAN ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,# type 1
packet-too-big,# type 2
time-exceeded,# type 3
parameter-problem,# type 4
echo-request,# type 128
echo-reply,# type 129
} limit rate 50/second burst 100 packets counter accept \
comment "Accept basic IPv6 functionality"
meta l4proto esp counter accept comment "Allow-IPSec-ESP"
udp dport { 500, 4500 } counter accept comment "Allow-ISAKMP"
# internal nets are allowed
iifname $DEV_LAN counter accept
# connections from the internet to the internal net
iifname $DEV_WAN meta l4proto . th dport vmap { tcp . 8006 : accept, udp . 53847 : accept, tcp . 53847 : accept, udp . 13231 : accept, tcp . 8123 : accept } \
# the rest will be dropped
}
chain forward_mangle {
type filter hook forward priority mangle; policy accept;
oifname $DEV_WAN meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1452 comment "IPV4 TCP MSS Clamping"
oifname $DEV_WAN meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1432 comment "IPV6 TCP MSS Clamping"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
iifname $DEV_WAN ip protocol { tcp, udp } th dport 53847 dnat to 192.168.10.4 comment "port forwarding: qbittorrent"
iifname $DEV_WAN dnat to tcp dport map { 8006 : 192.168.10.250, 8123 : 192.168.10.252 } comment "port forwarding: PVE & HomeAssistant"
iifname $DEV_WAN udp dport 13231 dnat to 192.168.10.249 comment "port forwarding: WireGuard"
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# masquerade private IP addresses
ip saddr $LAN_SET oifname $DEV_WAN masquerade
ip saddr $HOME_LAN oifname $DEV_MODEM snat to $IP_MODEM comment "access from home LAN to Modem"
}
}
table bridge filter {
chain forward {
type filter hook forward priority 0; policy accept;
iif $IPTV_VLAN85 oif $IPTV_VLAN51 counter drop comment "drop IPTV packages between VLAN85 & VLAN51"
iif $IPTV_VLAN51 oif $IPTV_VLAN85 counter drop comment "drop IPTV packages between VLAN85 & VLAN51"
}
} 学习一下 我也分享一下我的,是根据openwrt的导出,然后我自己修改了一部分:
#!/usr/sbin/nft -f
# This configuration file is customized by fox
# Optimize system nftables for linux router
flush ruleset
table inet router {
#
# Flowtable
#
flowtable ft {
hook ingress priority filter;
devices = { enp6s18, enp6s19, enp6s20, enp6s21, enp6s22 };
}
#
# Defines
#
define local_dns_ipv4 = { 172.16.1.1, 172.16.1.2, 172.16.1.3 }
define local_dns_ipv6 = { fd10::1, fd10::2, fd10::3 }
#
# Filter rules
#
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "defconf: Accept traffic from loopback"
ct state established,related accept comment "defconf: Allow inbound established and related flows"
ct state invalid counter drop comment "defconf: Drop input flows with invalid conntrack state"
tcp flags & (fin | syn | rst | ack) == syn counter jump syn_flood comment "defconf: Rate limit TCP syn packets"
iifname "bridge1" jump input_lan comment "defconf: Handle lan IPv4/IPv6 input traffic"
iifname { "enp6s18", "pppoe-out1" } jump input_wan comment "defconf: Handle wan IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
meta l4proto { tcp, udp } flow offload @ft comment "defconf: Track forwarded flows"
ct state established,related accept comment "defconf: Allow forwarded established and related flows"
ct state invalid counter drop comment "defconf: Drop forward flows with invalid conntrack state"
iifname "bridge1" jump forward_lan comment "defconf: Handle lan IPv4/IPv6 forward traffic"
iifname { "enp6s18", "pppoe-out1" } jump forward_wan comment "defconf: Handle wan IPv4/IPv6 forward traffic"
}
chain output {
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "defconf: Accept traffic towards loopback"
ct state established,related accept comment "defconf: Allow outbound established and related flows"
ct state invalid counter drop comment "defconf: Drop output flows with invalid conntrack state"
oifname "bridge1" jump output_lan comment "defconf: Handle lan IPv4/IPv6 output traffic"
oifname { "enp6s18", "pppoe-out1" } jump output_wan comment "defconf: Handle wan IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "bridge1" jump helper_lan comment "defconf: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "defconf: Reject TCP traffic"
counter reject comment "defconf: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "defconf: Accept SYN packets below rate-limit"
counter drop comment "defconf: Drop excess packets"
}
chain input_lan {
ct status dnat counter accept comment "lanconf: Accept port redirections"
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "defconf: Accept lan to wan forwarding"
ct status dnat counter accept comment "lanconf: Accept port forwards"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "bridge1" counter accept comment "defconf: Accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "bridge1" counter accept comment "defconf: Accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter accept comment "defconf: Allow-DHCP-Renew"
meta nfproto ipv4 icmp type echo-request counter drop comment "defconf: Drop-ICMP-Ping-Input"
meta nfproto ipv6 icmpv6 type echo-request counter drop comment "defconf: Drop-ICMPv6-Ping-Input"
meta nfproto ipv4 meta l4proto igmp counter accept comment "defconf: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter accept comment "defconf: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter accept comment "defconf: Allow-MLD"
meta nfproto ipv6 icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Input"
meta nfproto ipv6 icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Input"
jump drop_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
meta nfproto ipv4 icmp type echo-request counter drop comment "defconf: Drop-ICMP-Ping-Forward"
meta nfproto ipv6 icmpv6 type echo-request counter drop comment "defconf: Drop-ICMPv6-Ping-Forward"
meta nfproto ipv6 icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Forward"
meta nfproto ipv6 icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 100/second burst 200 packets counter accept comment "defconf: Allow-ICMPv6-Forward"
meta l4proto esp counter jump accept_to_lan comment "defconf: Allow-IPSec-ESP"
udp dport 500 counter jump accept_to_lan comment "defconf: Allow-ISAKMP"
jump drop_to_wan
}
chain accept_to_wan {
oifname { "enp6s18", "pppoe-out1" } counter accept comment "defconf: Accept wan IPv4/IPv6 traffic"
}
chain drop_from_wan {
iifname { "enp6s18", "pppoe-out1" } counter drop comment "defconf: Drop wan IPv4/IPv6 traffic"
}
chain drop_to_wan {
oifname { "enp6s18", "pppoe-out1" } counter drop comment "defconf: Drop wan IPv4/IPv6 traffic"
}
#
# NAT rules
#
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname "bridge1" meta l4proto { tcp, udp } th dport domain counter jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname { "enp6s18", "pppoe-out1" } jump srcnat_wan comment "defconf: Handle wan IPv4/IPv6 srcnat traffic"
}
chain dstnat_lan {
ip saddr $local_dns_ipv4 meta l4proto { tcp, udp } th dport domain counter accept comment "lanconf: Accept lan dns IPv4 bootstrap query"
ip6 saddr $local_dns_ipv6 meta l4proto { tcp, udp } th dport domain counter accept comment "lanconf: Accept lan dns IPv6 bootstrap query"
meta l4proto { tcp, udp } th dport domain counter redirect to domain comment "lanconf: Lan dns redirect"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "defconf: Masquerade IPv4 wan traffic"
}
#
# Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
#
# Mangle rules
#
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname { "enp6s18", "pppoe-out1" } tcp flags syn tcp option maxseg size set rt mtu comment "defconf: Zone wan IPv4/IPv6 ingress MTU fixing"
oifname { "enp6s18", "pppoe-out1" } tcp flags syn tcp option maxseg size set rt mtu comment "defconf: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
aitkots 发表于 2022-12-25 13:40
我也分享一下我的,是根据openwrt的导出,然后我自己修改了一部分:
请教一下,这条规则起什么作用?
chain helper_lan 本帖最后由 Vampire_KILLer 于 2022-12-25 15:40 编辑
防火墙现在我只会在PA和CP的集中管控上点点点了[生病]
不过Juniper和Hillstone还时不时需要敲几个命令行
华为的防火墙不管是seco还是ssh我都不想碰 normanlu 发表于 2022-12-25 14:10
请教一下,这条规则起什么作用?
这个是openwrt留给自定义防火墙配置用的 aitkots 发表于 2022-12-25 13:40
我也分享一下我的,是根据openwrt的导出,然后我自己修改了一部分:
多问一句,我研究了一下你的防火墙规则,貌似你的路由器并没有跑什么tcp服务,这条input链syn_flood应该并没什么作用吧。 Vampire_KILLer 发表于 2022-12-25 15:26
防火墙现在我只会在PA和CP的集中管控上点点点了
不过Juniper和Hillstone还时不时需要敲几个命令行
家庭宽带,linux自带防火墙用用足够了,专业防火墙就不必了吧。 normanlu 发表于 2022-12-25 18:30
多问一句,我研究了一下你的防火墙规则,貌似你的路由器并没有跑什么tcp服务,这条input链syn_flood应该 ...
[偷笑] 作用是比较小咯,主要是对路由器的DDoS的一个防御 Vampire_KILLer 发表于 2022-12-25 15:26
防火墙现在我只会在PA和CP的集中管控上点点点了
不过Juniper和Hillstone还时不时需要敲几个命令行
为什么华为的不想碰? normanlu 发表于 2022-12-25 18:32
家庭宽带,linux自带防火墙用用足够了,专业防火墙就不必了吧。
主要是我在我看来,折腾软路由啥的,真不如搞个二手的山石小防火墙,基本上pppoe多拨、多WAN口、运营商路由啥的都有
当然这是指路由这一块哈,其他诸如下载、插件功能的话这些是欠奉的 Krakenius 发表于 2022-12-25 19:20
为什么华为的不想碰?
使用体验差,日志功能差
网络厂商做的墙都有大病,思科如此、华为也如此
低层向高层做,要做好很难
高层转做低层,比较容易出彩——Juniper和Hillstone做核心交换机、F5做安全设备 Vampire_KILLer 发表于 2022-12-26 05:09
主要是我在我看来,折腾软路由啥的,真不如搞个二手的山石小防火墙,基本上pppoe多拨、多WAN口、运营商路 ...
公司用fortigate,专业的事情交给专业的。家里嘛,自己折腾一下linux就好了,不想家里整一堆的硬件设备。 看到一篇很好的nftables hardening的文章,做了一些修改,除了ipv6的hardening规则还需完善外,基本算完工了。
https://blog.samuel.domains/blog/security/nftables-hardening-rules-and-good-practices
flush ruleset
define DEV_LAN = eth1
define DEV_WAN = ppp0
define DEV_MODEM = eth0
define IP_MODEM = 192.168.0.11
define IPTV_VLAN85 = eth0.85
define IPTV_VLAN51 = eth0.51
define GUEST_LAN = 192.168.4.0/24
define IOT_LAN = 192.168.5.0/24
define HOME_LAN = 192.168.10.0/24
define LAN_SET = {
$GUEST_LAN,
$IOT_LAN,
$HOME_LAN
}
table netdev filter {
chain ingress {
type filter hook ingress device $DEV_WAN priority -500;
# IP FRAGMENTS
ip frag-off & 0x1fff != 0 counter drop
# IP BOGONS
# From <https://www.team-cymru.com/bogon-reference.html>.
ip saddr {
0.0.0.0/8,
10.0.0.0/8,
100.64.0.0/10,
127.0.0.0/8,
169.254.0.0/16,
172.16.0.0/12,
192.0.0.0/24,
192.0.2.0/24,
192.168.0.0/16,
198.18.0.0/15,
198.51.100.0/24,
203.0.113.0/24,
224.0.0.0/3
} counter drop
# TCP XMAS
tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
# TCP NULL
tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
# TCP MSS
tcp flags syn tcp option maxseg size 1-536 counter drop
}
}
table inet global {
flowtable f {
hook ingress priority 0; devices = { $DEV_LAN, $DEV_MODEM };
}
chain inbound_wan {
# Allow-ping-from-WAN
icmp type { echo-reply, echo-request } limit rate 10/second burst 20 packets counter accept
# Accept basic IPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,# type 1
packet-too-big,# type 2
time-exceeded,# type 3
parameter-problem,# type 4
echo-request,# type 128
echo-reply,# type 129
} limit rate 10/second burst 20 packets counter accept
}
chain inbound_lan {
icmp type { echo-reply, echo-request } accept
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,# type 1
packet-too-big,# type 2
time-exceeded,# type 3
parameter-problem,# type 4
echo-request,# type 128
echo-reply,# type 129
} accept
# allow DNS, NTP and SSH from the private network
meta l4proto . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 123 : accept }
ip saddr $HOME_LAN tcp dport 22 accept
}
chain inbound {
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow IPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit,# type 133
nd-router-advert,# type 134
nd-neighbor-solicit,# type 135
nd-neighbor-advert,# type 136
} ip6 hoplimit 255 counter accept
# Allow IPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query,# type 130
mld-listener-report,# type 131
mld-listener-reduction,# type 132
mld2-listener-report,# type 143
} ip6 saddr fe80::/10 counter accept
# Accept DHCPv6 replies from IPv6 link-local addresses
meta nfproto ipv6 udp sport 547 udp dport 546 counter accept
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $DEV_WAN : jump inbound_wan, $DEV_LAN : jump inbound_lan }
# the rest will be dropped
}
chain outbound {
type filter hook output priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy drop;
meta l4proto { tcp, udp } flow offload @f
counter
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Accept basic IPv6 functionality
iifname $DEV_WAN ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable,# type 1
packet-too-big,# type 2
time-exceeded,# type 3
parameter-problem,# type 4
echo-request,# type 128
echo-reply,# type 129
} limit rate 10/second burst 20 packets counter accept
# internal nets are allowed
iifname $DEV_LAN counter accept
# connections from the internet to the home lan
iifname $DEV_WAN ip daddr $HOME_LAN ct status dnat counter accept
# the rest will be dropped
}
chain forward_mangle {
type filter hook forward priority mangle; policy accept;
# IPV4 TCP MSS Clamping
oifname $DEV_WAN meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1452
# IPV6 TCP MSS Clamping
oifname $DEV_WAN meta nfproto ipv6 tcp flags syn tcp option maxseg size set 1432
}
chain prerouting {
type filter hook prerouting priority -150; policy accept;
# CT INVALID
ct state invalid counter drop
# TCP SYN (CT NEW)
tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
}
}
table ip nat {
chain nat_prerouting {
type nat hook prerouting priority -100; policy accept;
# port forwarding: PVE, HomeAssistant, qbittorrent & WireGuard
iifname $DEV_WAN ip protocol { tcp, udp } th dport 53847 dnat to 192.168.10.4
iifname $DEV_WAN dnat to tcp dport map { 8006 : 192.168.10.250, 8123 : 192.168.10.252 }
iifname $DEV_WAN udp dport 13231 dnat to 192.168.10.251
}
chain nat_postrouting {
type nat hook postrouting priority 100; policy accept;
# masquerade private IP addresses
ip saddr $LAN_SET oifname $DEV_WAN masquerade
# allow access from home LAN to Modem
ip saddr $HOME_LAN oifname $DEV_MODEM snat to $IP_MODEM
}
}
table bridge iptv {
chain port_block {
type filter hook forward priority 0; policy accept;
# drop IPTV packages between VLAN85 & VLAN51
iif $IPTV_VLAN85 oif $IPTV_VLAN51 counter drop
iif $IPTV_VLAN51 oif $IPTV_VLAN85 counter drop
}
}
不懂防火墙设置,最近在er-x路由器上刷了openwrt 22.03.5,ipv6有时打开某些网站很慢,在网上看到https://www.v2ex.com/t/800024
附:在基于 Linux 的路由器启用MSS Clamping的命令:
# 自动MSS,假设PPPOE虚接口是pppoe0
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --clamp-mss-to-pmtu
ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --clamp-mss-to-pmtu
# 手动指定MSS,假设PPPOE虚接口是pppoe0
$ iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --set-mss 1452
$ ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o pppoe0 -j TCPMSS --set-mss 1432
这个在firewall4 里应该如何写?还是系统防火墙了已经自带了?我看你的帖子里的第159到163好像就是类似命令。 二手烟 发表于 2023-5-18 18:32
不懂防火墙设置,最近在er-x路由器上刷了openwrt 22.03.5,ipv6有时打开某些网站很慢,在网上看到https://w ...
oifname $DEV_WAN meta nfproto ipv4 tcp flags syn tcp option maxseg size set 1452
160行就是ipv4的mss clamping
页:
[1]