While it's not likely to harm anything, this isn't quite right for IPv6, with a lower bound MTU of 1280. Thanks, -John (Sorry, re-sending as gmail silently turned on HTML formatting.) On Mon, Jun 10, 2013 at 12:07 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > > From: Phil Oester <kernel@xxxxxxxxxxxx> > > The clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues > connecting to websites if there was no MSS option present in the > original SYN packet from the client. In these cases, it may add a > MSS higher than the default specified in RFC879. Fix this by never > setting a value > 536 if no MSS option was specified by the client. > > This closes netfilter's bugzilla #662. > > Signed-off-by: Phil Oester <kernel@xxxxxxxxxxxx> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > net/netfilter/xt_TCPMSS.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c > index a75240f..afaebc7 100644 > --- a/net/netfilter/xt_TCPMSS.c > +++ b/net/netfilter/xt_TCPMSS.c > @@ -125,6 +125,12 @@ tcpmss_mangle_packet(struct sk_buff *skb, > > skb_put(skb, TCPOLEN_MSS); > > + /* RFC 879 states that the default MSS is 536 without specific > + * knowledge that the destination host is prepared to accept larger. > + * Since no MSS was provided, we MUST NOT set a value > 536. > + */ > + newmss = min(newmss, (u16)536); > + > opt = (u_int8_t *)tcph + sizeof(struct tcphdr); > memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr)); > > -- > 1.7.10.4 > > -- > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
