Re: Is this possible SYN Proxy bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote:
> On Tue, Jun 18, 2019 at 1:40 PM Florian Westphal <fw@xxxxxxxxx> wrote:
> >
> > Problem is that we do not keep any state.  Syncookes are restricted to 4
> > mss value:
> > static __u16 const msstab[] = {
> >  536,
> > 1300,
> > 1440,   /* 1440, 1452: PPPoE */
> > 1460,
> > };
> >
> > So, 1260 forces lowest value supported.
> >
> > The table was based off a research paper that had mss distribution
> > tables.  Maybe more recent data is available and if things have changed
> > we could update the table accordingly.
> 
> I am confused. So this statement from manual page is just a illusion?
> --mss maximum segment size
>               Maximum segment size announced to clients. This must
> match the backend.

?

Your question was about MSS sent to server.

Flow is this:
Client          Synproxy         Server
-> Syn, mss X
    <-Synack,mss M
-> ACK
                     -> Syn, mss Y

M is what you need to configure via --mss switch.

Because Synproxy keeps no state, it can only send
to real server the MSS that was encoded in syncookie (in synack)
packet.  Therefore, X == Y only if the Value from client matches
exactly one for the four values of the mss table, in all other
cases Y is the next lowest available one.  In your case thats 536.

> I don't understand why these restriction exist. Why can't we set mss
> value same as what client send to us?

We only have 2 bits out of the 32Bit Sequence number for MSS. Increasing
mss state table reduces security margin of the cookie.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux