Path MTU discovery fixes and improvements (#3109)

- Existing option `WIREGUARD_MTU` , if set, disables PMTUD and is used - New option `PMTUD_ICMP_ADDRESSES=1.1.1.1,8.8.8.8` and `PMTUD_TCP_ADDRESSES=1.1.1.1:443,8.8.8.8:443` - ICMP PMTUD now targets external-by-default IP addresses - New TCP PMTUD (binary search only) as a second MTU confirmation and fallback mechanism. - Force set TCP MSS to MTU - IP header - TCP base header - "magic 20 bytes" 🎆 - Fix #3108
2026-05-10 04:30:20 +02:00 · 2026-02-15 01:40:34 +01:00
parent 8f1fda7646
commit be92aa2ac4
59 changed files with 2050 additions and 376 deletions
@@ -0,0 +1,199 @@
+package tcp
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/qdm12/gluetun/internal/netlink"
+	"github.com/qdm12/gluetun/internal/routing"
+	"github.com/qdm12/log"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_runTest(t *testing.T) {
+	t.Parallel()
+
+	noopLogger := &noopLogger{}
+	netlinker := netlink.New(noopLogger)
+	loopbackMTU, err := findLoopbackMTU(netlinker)
+	require.NoError(t, err, "finding loopback IPv4 MTU")
+	defaultIPv4MTU, err := findDefaultIPv4RouteMTU(netlinker)
+	require.NoError(t, err, "finding default IPv4 route MTU")
+
+	ctx, cancel := context.WithCancel(t.Context())
+
+	const family = syscall.AF_INET
+	fd, stop, err := startRawSocket(family)
+	require.NoError(t, err)
+
+	const ipv4 = true
+	tracker := newTracker(fd, ipv4)
+	trackerCh := make(chan error)
+	go func() {
+		trackerCh <- tracker.listen(ctx)
+	}()
+
+	t.Cleanup(func() {
+		stop()
+		cancel() // stop listening
+		err = <-trackerCh
+		require.NoError(t, err)
+	})
+
+	testCases := map[string]struct {
+		timeout time.Duration
+		dst     func(t *testing.T) netip.AddrPort
+		mtu     uint32
+		success bool
+	}{
+		"local_not_listening": {
+			timeout: time.Hour,
+			dst: func(t *testing.T) netip.AddrPort {
+				t.Helper()
+				port := reserveClosedPort(t)
+				return netip.AddrPortFrom(netip.AddrFrom4([4]byte{127, 0, 0, 1}), port)
+			},
+			mtu:     loopbackMTU,
+			success: true,
+		},
+		"remote_not_listening": {
+			timeout: 50 * time.Millisecond,
+			dst: func(_ *testing.T) netip.AddrPort {
+				return netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 12345)
+			},
+			mtu: defaultIPv4MTU,
+		},
+		"1.1.1.1:443": {
+			timeout: time.Second,
+			dst: func(_ *testing.T) netip.AddrPort {
+				return netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 443)
+			},
+			mtu:     defaultIPv4MTU,
+			success: true,
+		},
+		"1.1.1.1:80": {
+			timeout: time.Second,
+			dst: func(_ *testing.T) netip.AddrPort {
+				return netip.AddrPortFrom(netip.AddrFrom4([4]byte{1, 1, 1, 1}), 80)
+			},
+			mtu:     defaultIPv4MTU,
+			success: true,
+		},
+		"8.8.8.8:443": {
+			timeout: time.Second,
+			dst: func(_ *testing.T) netip.AddrPort {
+				return netip.AddrPortFrom(netip.AddrFrom4([4]byte{8, 8, 8, 8}), 443)
+			},
+			mtu:     defaultIPv4MTU,
+			success: true,
+		},
+	}
+
+	for name, testCase := range testCases {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+			ctx, cancel := context.WithTimeout(t.Context(), testCase.timeout)
+			defer cancel()
+			dst := testCase.dst(t)
+			err := runTest(ctx, fd, tracker, dst, testCase.mtu)
+			if testCase.success {
+				require.NoError(t, err)
+			} else {
+				require.Error(t, err)
+			}
+		})
+	}
+}
+
+var errRouteNotFound = errors.New("route not found")
+
+func findLoopbackMTU(netlinker *netlink.NetLink) (mtu uint32, err error) {
+	routes, err := netlinker.RouteList(netlink.FamilyV4)
+	if err != nil {
+		return 0, fmt.Errorf("getting routes list: %w", err)
+	}
+	for _, route := range routes {
+		if route.Dst.IsValid() && route.Dst.Addr().IsLoopback() {
+			link, err := netlinker.LinkByIndex(route.LinkIndex)
+			if err != nil {
+				return 0, fmt.Errorf("getting link by index: %w", err)
+			}
+			// Quirk: make sure it is maximum 65535, and not i.e. 65536
+			// or the IP header 16 bits will fail to fit that packet length value.
+			const maxMTU = 65535
+			return min(link.MTU, maxMTU), nil
+		}
+	}
+	return 0, fmt.Errorf("%w: no loopback route found", errRouteNotFound)
+}
+
+func findDefaultIPv4RouteMTU(netlinker *netlink.NetLink) (mtu uint32, err error) {
+	noopLogger := &noopLogger{}
+	routing := routing.New(netlinker, noopLogger)
+	defaultRoutes, err := routing.DefaultRoutes()
+	if err != nil {
+		return 0, fmt.Errorf("getting default routes: %w", err)
+	}
+	for _, route := range defaultRoutes {
+		if route.Family != netlink.FamilyV4 {
+			continue
+		}
+		link, err := netlinker.LinkByName(defaultRoutes[0].NetInterface)
+		if err != nil {
+			return 0, fmt.Errorf("getting link by name: %w", err)
+		}
+		return link.MTU, nil
+	}
+	return 0, fmt.Errorf("%w: no default route found", errRouteNotFound)
+}
+
+func reserveClosedPort(t *testing.T) (port uint16) {
+	t.Helper()
+
+	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_STREAM, syscall.IPPROTO_TCP)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		err := syscall.Close(fd)
+		assert.NoError(t, err)
+	})
+
+	addr := &syscall.SockaddrInet4{
+		Port: 0,
+		Addr: [4]byte{127, 0, 0, 1},
+	}
+
+	err = syscall.Bind(fd, addr)
+	if err != nil {
+		_ = syscall.Close(fd)
+		t.Fatal(err)
+	}
+
+	sockAddr, err := syscall.Getsockname(fd)
+	if err != nil {
+		_ = syscall.Close(fd)
+		t.Fatal(err)
+	}
+
+	sockAddr4, ok := sockAddr.(*syscall.SockaddrInet4)
+	if !ok {
+		_ = syscall.Close(fd)
+		t.Fatal("not an IPv4 address")
+	}
+
+	return uint16(sockAddr4.Port) //nolint:gosec
+}
+
+type noopLogger struct{}
+
+func (l *noopLogger) Patch(_ ...log.Option)     {}
+func (l *noopLogger) Debug(_ string)            {}
+func (l *noopLogger) Debugf(_ string, _ ...any) {}
+func (l *noopLogger) Info(_ string)             {}
+func (l *noopLogger) Warn(_ string)             {}
+func (l *noopLogger) Error(_ string)            {}