On Tue, Jun 18, 2019 at 3:40 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > Does this patch fix the problem for you? > > diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c > --- a/net/ipv4/netfilter/ipt_SYNPROXY.c > +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c > @@ -286,6 +286,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) > opts.options |= XT_SYNPROXY_OPT_ECN; > > opts.options &= info->options; > + opts.mss = info->mss; > if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP) > synproxy_init_timestamp_cookie(info, &opts); > else > diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c > --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c > +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c > @@ -300,6 +300,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) > opts.options |= XT_SYNPROXY_OPT_ECN; > > opts.options &= info->options; > + opts.mss = info->mss; > if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP) > synproxy_init_timestamp_cookie(info, &opts); > else I applied this patch and did same test with same setup. On External interface mss value seems correct. But This time on internal interface firewall set mss value to 1460 on syn packet rather than 536. Here is samples. External 10.0.0.215.60812 > 10.0.1.213.80: Flags [S], seq 1275328749, win 25200, options [mss 1260,sackOK,TS val 183998290 ecr 0,nop,wscale 7], length 0 10.0.1.213.80 > 10.0.0.215.60812: Flags [S.], seq 584730658, ack 1275328750, win 0, options [mss 1460,sackOK,TS val 193047 ecr 183998290,nop,wscale 2], length 0 Internal 10.0.0.215.60812 > 10.0.1.213.80: Flags [S], seq 1275328749, win 197, options [mss 1460,sackOK,TS val 183998290 ecr 193047,nop,wscale 7], length 0 10.0.1.213.80 > 10.0.0.215.60812: Flags [S.], seq 3022386930, ack 1275328750, win 14480, options [mss 1460,sackOK,TS val 101024266 ecr 183998290,nop,wscale 2], length 0
