Hi,
On Thu, May 06, 2021 at 11:53:21AM +0200, Frank Wunderlich wrote:
> Hi
> > Gesendet: Donnerstag, 06. Mai 2021 um 00:55 Uhr
> > Von: "Pablo Neira Ayuso" <pablo@xxxxxxxxxxxxx>
>
> > rfc6691 says that TCP MSS is:
> >
> > The maximum number of data octets that may be received by the
> > sender of this TCP option in TCP segments with no TCP header
> > options transmitted in IP datagrams with no IP header option
>
> right, tell receiver which size of tcp-payload sender can handle,
> wonder about "IP datagrams" which remembers to udp but have nothing
> to do with tcp. i think mss does nothing for udp, am i right?
UDP relies on IP fragmentation.
> > By "flowtable condition" I'm not sure if you're refering to the "flow
> > add" statement through.
>
> right, the "flow add" line with the condition (in my simple example all tcp/udp)
>
> > chain FORWARD {
> > type filter hook forward priority 0; policy drop;
> >
> > tcp flags syn tcp option maxseg size set rt mtu
> > ct state vmap { established : jump FORWARD_established, related : jump FORWARD_established, new : jump FORWARD_new }
> > }
> > }
>
> Thanks for the example, i wonder about this:
>
> established : jump FORWARD_established, related : jump FORWARD_established
>
> so established and related are moved to the established-chain, so
> far so good, but you wrote in previous mail, that forward-chain is
> only processed for syn-packets only (first 2: syn and syn-ack), so
> imho there should be no established connections there.
In conntrack, "established" state means: packets in both directions
have been seen, therefore, TCP established != conntrack established.
The first syn-ack reply packet is matching "ct state established"
