real servers behind a load balancer that forwards traffic their way using some kind of encapsulation as IPIP need to perform TCP MSS clamping to avoid fragmentation issues.
This mechanism should be generic enough to run on the plethora of real servers that WMF currently runs. For example we have real servers (the CDN cluster) where netfilter can't be used.
discarded alternatives:
- injecting a MSS option using an BPF program of type BPF_PROG_TYPE_SOCK_OPS (see https://phabricator.wikimedia.org/T350462#9305346)
viable alternatives:
- injecting a MSS option using an XDP program: being implemented in https://gitlab.wikimedia.org/vgutierrez/tcp-mss-clamper/-/merge_requests/1
remaining alternatives to explore:
- ip rule + ip route
- nftables