Re: [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Phil Oester <kernel@linuxace.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option
Date: Wed, 5 Jun 2013 14:09:03 +0200	[thread overview]
Message-ID: <20130605120903.GA10198@localhost> (raw)
In-Reply-To: <20130604150927.GA9108@gmail.com>

On Tue, Jun 04, 2013 at 11:09:27AM -0400, Phil Oester wrote:
> As reported in bug #662, the clamp-mss-to-pmtu option of the xt_TCPMSS target
> can cause issues connecting to websites if there was no MSS option present in
> the original SYN packet from the client.  In these cases, it adds an MSS higher
> than the default specified in RFC 879.  Fix this by never setting a value > 536
> IFF none was specified by the client.  
> 
> This closes bug #662.

Applied to the nf tree, thanks Phil.

BTW, this target does not seem to make safe fragmentation handling. We
need a patch similar to:

commit bc6bcb59dd7c184d229f9e86d08aa56059938a4c
Author: Pablo Neira Ayuso <pablo@netfilter.org>
Date:   Tue May 7 03:22:18 2013 +0200

    netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary

     prev parent reply	other threads:[~2013-06-05 12:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-04 15:09 [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option Phil Oester
2013-06-05 12:09 ` Pablo Neira Ayuso [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130605120903.GA10198@localhost \
    --to=pablo@netfilter.org \
    --cc=kernel@linuxace.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.