İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote: > On Tue, Jun 18, 2019 at 2:59 PM Florian Westphal <fw@xxxxxxxxx> wrote: > > > > > > > I am confused. So this statement from manual page is just a illusion? > > > --mss maximum segment size > > > Maximum segment size announced to clients. This must > > > match the backend. > > > > ? > > > > Your question was about MSS sent to server. > > > > Flow is this: > > Client Synproxy Server > > -> Syn, mss X > > <-Synack,mss M > > -> ACK > > -> Syn, mss Y > > > > M is what you need to configure via --mss switch. > > > > Because Synproxy keeps no state, it can only send > > to real server the MSS that was encoded in syncookie (in synack) > > packet. Therefore, X == Y only if the Value from client matches > > exactly one for the four values of the mss table, in all other > > cases Y is the next lowest available one. In your case thats 536. > > > > > I don't understand why these restriction exist. Why can't we set mss > > > value same as what client send to us? > > > > We only have 2 bits out of the 32Bit Sequence number for MSS. Increasing > > mss state table reduces security margin of the cookie. > > My question about both way actually. If you check out my tests, M is > also not correct. Client sends mss 1260 and syn proxy responds 1260 > too although I set mss 1460 in iptables. Does this patch fix the problem for you? diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c @@ -286,6 +286,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) opts.options |= XT_SYNPROXY_OPT_ECN; opts.options &= info->options; + opts.mss = info->mss; if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP) synproxy_init_timestamp_cookie(info, &opts); else diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c @@ -300,6 +300,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) opts.options |= XT_SYNPROXY_OPT_ECN; opts.options &= info->options; + opts.mss = info->mss; if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP) synproxy_init_timestamp_cookie(info, &opts); else
