Hi
> Gesendet: Donnerstag, 06. Mai 2021 um 00:55 Uhr
> Von: "Pablo Neira Ayuso" <pablo@xxxxxxxxxxxxx>
> rfc6691 says that TCP MSS is:
>
> The maximum number of data octets that may be received by the
> sender of this TCP option in TCP segments with no TCP header
> options transmitted in IP datagrams with no IP header option
right, tell receiver which size of tcp-payload sender can handle, wonder about "IP datagrams" which remembers to udp but have nothing to do with tcp. i think mss does nothing for udp, am i right?
> By "flowtable condition" I'm not sure if you're refering to the "flow
> add" statement through.
right, the "flow add" line with the condition (in my simple example all tcp/udp)
> chain FORWARD {
> type filter hook forward priority 0; policy drop;
>
> tcp flags syn tcp option maxseg size set rt mtu
> ct state vmap { established : jump FORWARD_established, related : jump FORWARD_established, new : jump FORWARD_new }
> }
> }
Thanks for the example, i wonder about this:
established : jump FORWARD_established, related : jump FORWARD_established
so established and related are moved to the established-chain, so far so good, but you wrote in previous mail, that forward-chain is only processed for syn-packets only (first 2: syn and syn-ack), so imho there should be no established connections there.
regards Frank
