From 90a6b84c095820c860e02537b9c6cdbbe4742baf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Bourdeauducq?= <sb@m-labs.hk>
Date: Thu, 29 Aug 2024 18:39:52 +0800
Subject: [PATCH] nixbld: work around tunnel TCPMSS issues

---
 nixbld-etc-nixos/configuration.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/nixbld-etc-nixos/configuration.nix b/nixbld-etc-nixos/configuration.nix
index bb08dfb..b9cefcc 100644
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@@ -176,11 +176,20 @@ in
         iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP  # HP printer, wifi
         iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP  # HP printer, ethernet
         iptables -w -A FORWARD -j block-insecure-devices
+
+        iptables -w -N pccw-sucks
+        iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
+        iptables -A pccw-sucks -o alt0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
+        iptables -w -A FORWARD -j pccw-sucks
       '';
       extraStopCommands = ''
         iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
         iptables -w -F block-insecure-devices 2>/dev/null|| true
         iptables -w -X block-insecure-devices 2>/dev/null|| true
+
+        iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
+        iptables -w -F pccw-sucks 2>/dev/null|| true
+        iptables -w -X pccw-sucks 2>/dev/null|| true
       '';
     };
     sits."${netifSit}" = {