Dňa 10. apríla 2024 15:48:51 UTC používateľ "William N." <netfilter@xxxxxxxxxx> napísal: >By asking "What about the RFC" I didn't mean "Which RFC sets the >numbers". I meant "Why do you use the same MSS for IPv4 and IPv6, >considering the RFC explains they are different?" Ah, OK, see next... >How? The two corner cases are different and 1220 is > x2 than 536, i.e. >very far from the "corner" (limit), i.e. it would not improve >efficiency. I am far from TCP nor Linux kernel expert, and my English is limited... But I understand that "overhead" problem as more worse with lower number. Thus MSS=1 is worse than eg. MSS=535 and that is worse than eg. MSS=1219. The 536/1220 are not minimal allowed, but defaults if no MSS is send... Thus lower values are valid, only often not wanted... And i guess too, that lower (as defaults) MSS are worse in IPv4 than in IPv6, as IPv6 doesn't support fragmentation, thus only segmentation happens. Finally, any FW rule adds overhead too (to packet processing), which can be neglible in this case, but happens. Any FW rule requires maintenance, that is overhead too (while not in packet processing), etc, etc. When i consider these (and perhaps some more), i decided to not bother with two different values. I can be wrong, but i used FWs without any MSS rule for years (decades), and i didn't notice any problem, and i learned already that sometime to be too smart can be worse than do not act at all . But i was not target of any real (D)DoS yet, only some kind(?) attempts (to be honest). regards -- Slavko https://www.slavino.sk/
