İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote:
> On Tue, Jun 18, 2019 at 1:40 PM Florian Westphal <fw@xxxxxxxxx> wrote:
> >
> > Problem is that we do not keep any state. Syncookes are restricted to 4
> > mss value:
> > static __u16 const msstab[] = {
> > 536,
> > 1300,
> > 1440, /* 1440, 1452: PPPoE */
> > 1460,
> > };
> >
> > So, 1260 forces lowest value supported.
> >
> > The table was based off a research paper that had mss distribution
> > tables. Maybe more recent data is available and if things have changed
> > we could update the table accordingly.
>
> I am confused. So this statement from manual page is just a illusion?
> --mss maximum segment size
> Maximum segment size announced to clients. This must
> match the backend.
?
Your question was about MSS sent to server.
Flow is this:
Client Synproxy Server
-> Syn, mss X
<-Synack,mss M
-> ACK
-> Syn, mss Y
M is what you need to configure via --mss switch.
Because Synproxy keeps no state, it can only send
to real server the MSS that was encoded in syncookie (in synack)
packet. Therefore, X == Y only if the Value from client matches
exactly one for the four values of the mss table, in all other
cases Y is the next lowest available one. In your case thats 536.
> I don't understand why these restriction exist. Why can't we set mss
> value same as what client send to us?
We only have 2 bits out of the 32Bit Sequence number for MSS. Increasing
mss state table reduces security margin of the cookie.
