From a09b28edff67a3875ca983aceb70e5be45327ed8 Mon Sep 17 00:00:00 2001
From: Joshua Gilman <joshuagilman@gmail.com>
Date: Thu, 30 Apr 2026 21:14:39 -0700
Subject: [PATCH] fix(vyos): ensure tcp mss nft chain before commit

---
 network/vyos/ansible/playbooks/deploy.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/network/vyos/ansible/playbooks/deploy.yml b/network/vyos/ansible/playbooks/deploy.yml
index f2d909d..73753f8 100644
--- a/network/vyos/ansible/playbooks/deploy.yml
+++ b/network/vyos/ansible/playbooks/deploy.yml
@@ -451,6 +451,23 @@
               - "{{ ansible_user }}@{{ ansible_host }}"
               - "sudo {{ remote_dns_mirror_fetch_script_path }}"
 
+        - name: Ensure IPv4 TCP MSS nftables chain exists before interface commit
+          delegate_to: localhost
+          ansible.builtin.command:
+            argv:
+              - ssh
+              - -i
+              - "{{ ansible_ssh_private_key_file }}"
+              - -o
+              - StrictHostKeyChecking=no
+              - -o
+              - UserKnownHostsFile=/dev/null
+              - "{{ ansible_user }}@{{ ansible_host }}"
+              - >-
+                sudo nft list chain ip raw VYOS_TCP_MSS >/dev/null 2>&1 ||
+                sudo nft 'add chain ip raw VYOS_TCP_MSS { type filter hook postrouting priority raw; policy accept; }'
+          changed_when: false
+
         - name: Load, commit, and save configuration
           vyos.vyos.vyos_command:
             commands: