From 6e1333d1e71651e9822ef74d989b928df313ea6e Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Tue, 8 Aug 2023 20:28:38 +0100
Subject: system-ip: T5449: add TCP MSS probing options

---
 interface-definitions/system-ip.xml.in | 58 ++++++++++++++++++++++++++++++++++
 src/conf_mode/system-ip.py             | 21 ++++++++++++
 2 files changed, 79 insertions(+)

diff --git a/interface-definitions/system-ip.xml.in b/interface-definitions/system-ip.xml.in
index abdede979..6db4dbfc7 100644
--- a/interface-definitions/system-ip.xml.in
+++ b/interface-definitions/system-ip.xml.in
@@ -48,6 +48,64 @@
               </leafNode>
             </children>
           </node>
+          <node name="tcp">
+            <properties>
+              <help>IPv4 TCP parameters</help>
+            </properties>
+            <children>
+              <node name="mss">
+                <properties>
+                  <help>IPv4 TCP MSS probing options</help>
+                </properties>
+                <children>
+                  <leafNode name="probing">
+                    <properties>
+                      <help>Attempt to lower the MSS if TCP connections fail to establish</help>
+                      <completionHelp>
+                        <list>on-icmp-black-hole force</list>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>on-icmp-black-hole</format>
+                        <description>Attempt TCP MSS probing when an ICMP black hole is detected</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>force</format>
+                      <description>Attempt TCP MSS probing by default</description>
+                      </valueHelp>
+                      <constraint>
+                        <regex>(on-icmp-black-hole|force)</regex>
+                      </constraint>
+                      <constraintErrorMessage>Must be on-icmp-black-hole or force</constraintErrorMessage>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="base">
+                    <properties>
+                      <help>Base MSS to start probing from (applicable to "probing force")</help>
+                      <valueHelp>
+                        <format>u32:48-1460</format>
+                        <description>Base MSS value for probing (default: 1024)</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 48-1460"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                  <leafNode name="floor">
+                    <properties>
+                      <help>Minimum MSS to stop probing at (default: 48)</help>
+                      <valueHelp>
+                        <format>u32:48-1460</format>
+                        <description>Minimum MSS value to probe</description>
+                      </valueHelp>
+                      <constraint>
+                        <validator name="numeric" argument="--range 48-1460"/>
+                      </constraint>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+            </children>
+          </node>
           #include <include/system-ip-protocol.xml.i>
         </children>
       </node>
diff --git a/src/conf_mode/system-ip.py b/src/conf_mode/system-ip.py
index cca996e4f..c89267afc 100755
--- a/src/conf_mode/system-ip.py
+++ b/src/conf_mode/system-ip.py
@@ -98,6 +98,27 @@ def apply(opt):
     value = '1' if (tmp != None) else '0'
     sysctl_write('net.ipv4.fib_multipath_hash_policy', value)
 
+    # configure TCP options (defaults as of Linux 6.4)
+    tmp = dict_search('tcp.mss.probing', opt)
+    if tmp is None:
+        value = 0
+    elif tmp == 'on-icmp-black-hole':
+        value = 1
+    elif tmp == 'force':
+        value = 2
+    else:
+        # Shouldn't happen
+        raise ValueError("TCP MSS probing is neither 'on-icmp-black-hole' nor 'force'!")
+    sysctl_write('net.ipv4.tcp_mtu_probing', value)
+
+    tmp = dict_search('tcp.mss.base', opt)
+    value = '1024' if (tmp is None) else tmp
+    sysctl_write('net.ipv4.tcp_base_mss', value)
+
+    tmp = dict_search('tcp.mss.floor', opt)
+    value = '48' if (tmp is None) else tmp
+    sysctl_write('net.ipv4.tcp_mtu_probe_floor', value)
+
     if 'protocol' in opt:
         zebra_daemon = 'zebra'
         # Save original configuration prior to starting any commit actions
-- 
cgit v1.2.3