From 3b749bc89992f272060c8c9efc34a21c2b21c836 Mon Sep 17 00:00:00 2001
From: Andris PE <neandris@gmail.com>
Date: Sun, 25 May 2025 18:04:23 +0000
Subject: [PATCH] ruleset: skip _iifname match for !tcp in mss fix

Add explicit l4proto match before _ifname to avoid burning cycles for
other protocols, eliminating measurable (iperf3) udp re-ordering
Displayed back rules show pessimal combo even new one is loaded.

Signed-off-by: Andris PE <neandris@gmail.com>
---
 root/usr/share/firewall4/templates/zone-mssfix.uc | 1 +
 tests/01_configuration/01_ruleset                 | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/root/usr/share/firewall4/templates/zone-mssfix.uc b/root/usr/share/firewall4/templates/zone-mssfix.uc
index 17b6e92..c9c68b5 100644
--- a/root/usr/share/firewall4/templates/zone-mssfix.uc
+++ b/root/usr/share/firewall4/templates/zone-mssfix.uc
@@ -1,5 +1,6 @@
 {%+ if (rule.family): -%}
 	meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
+	meta l4proto tcp {%+ -%}
 {%+ include("zone-match.uc", { egress, rule }) -%}
 tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu {%+ if (zone.log & 2): -%}
 	log prefix "MSSFIX {{ zone.name }} out: " {%+ endif -%}
diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 108dff9..91dcbfd 100644
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -269,7 +269,7 @@ table inet fw4 {
 
 	chain mangle_postrouting {
 		type filter hook postrouting priority mangle; policy accept;
-		oifname "pppoe-wan" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
+		meta l4proto tcp oifname "pppoe-wan" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
 	}
 
 	chain mangle_input {
@@ -282,7 +282,7 @@ table inet fw4 {
 
 	chain mangle_forward {
 		type filter hook forward priority mangle; policy accept;
-		iifname "pppoe-wan" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
+		meta l4proto tcp iifname "pppoe-wan" tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
 	}
 }
 -- End --