On Tue, Jun 18, 2019 at 2:59 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > > > I am confused. So this statement from manual page is just a illusion? > > --mss maximum segment size > > Maximum segment size announced to clients. This must > > match the backend. > > ? > > Your question was about MSS sent to server. > > Flow is this: > Client Synproxy Server > -> Syn, mss X > <-Synack,mss M > -> ACK > -> Syn, mss Y > > M is what you need to configure via --mss switch. > > Because Synproxy keeps no state, it can only send > to real server the MSS that was encoded in syncookie (in synack) > packet. Therefore, X == Y only if the Value from client matches > exactly one for the four values of the mss table, in all other > cases Y is the next lowest available one. In your case thats 536. > > > I don't understand why these restriction exist. Why can't we set mss > > value same as what client send to us? > > We only have 2 bits out of the 32Bit Sequence number for MSS. Increasing > mss state table reduces security margin of the cookie. My question about both way actually. If you check out my tests, M is also not correct. Client sends mss 1260 and syn proxy responds 1260 too although I set mss 1460 in iptables.
