> The clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues > connecting to websites if there was no MSS option present in the > original SYN packet from the client. In these cases, it may add a > MSS higher than the default specified in RFC879. Fix this by never > setting a value > 536 if no MSS option was specified by the client. > > This closes netfilter's bugzilla #662. ... > + /* RFC 879 states that the default MSS is 536 without specific > + * knowledge that the destination host is prepared to accept larger. > + * Since no MSS was provided, we MUST NOT set a value > 536. > + */ > + newmss = min(newmss, (u16)536); > + Is setting the mss to 536 actually ever sensible? RFC 879 might say that it is the default (and the minimum that must be supported), but in practise the actual mss is very likely to be only slightly shorter than the standard ethernet mss. Although strict conformance with RFC 879 might require the mss be clamped to 536, pragmatically a value much nearer 1400 would make sense - systems with very low mtu/mss are probably likely to advertise it. David -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
