Hi all,
I have a question and a possible patch/mod for target TCPMSS (xt_TCPMSS.c).
At the very beginning of function tcpmss_mangle_packet(), the skb containing the
TCP SYN packet is checked to see if it is containing data (on a side note, SYN
with data is quite unusual...); if so, the packet is drastically dropped.
The reason is explained in RR's comment to the code, I am copy/pasting the
beginning of this function with the length check at the bottom of this mail.
RR says that we cannot change MSS on a packet which is already carrying data
(it would be too late): could we relax this check, seeing if the tcp payload is
less than the MSS we are about to set?
Something like:
if (tcplen > info->mss) {
if (net_ratelimit())
printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
(*pskb)->len);
return -1;
}
With such a mod, MSS clamping would happen even for TCP SYN with data
if the data
length (instead of dropping the packet) is not exceeding the MSS we want to set.
Thanks and regards,
Luca Pesce
static int
tcpmss_mangle_packet(struct sk_buff **pskb,
const struct xt_tcpmss_info *info,
unsigned int tcphoff,
unsigned int minlen)
{
struct tcphdr *tcph;
unsigned int tcplen, i;
__be16 oldval;
u16 newmss;
u8 *opt;
if (!skb_make_writable(pskb, (*pskb)->len))
return -1;
tcplen = (*pskb)->len - tcphoff;
tcph = (struct tcphdr *)((*pskb)->nh.raw + tcphoff);
/* Since it passed flags test in tcp match, we know it is is
not a fragment, and has data >= tcp header length. SYN
packets should not contain data: if they did, then we risk
running over MTU, sending Frag Needed and breaking things
badly. --RR */
if (tcplen != tcph->doff*4) {
if (net_ratelimit())
printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
(*pskb)->len);
return -1;
}
[...]
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
