From: Phil Oester <kernel@linuxace.com>
To: netfilter-devel@vger.kernel.org
Cc: pablo@netfilter.org
Subject: [PATCH] netfilter: xt_TCPMSS: Add IPv6 default MSS
Date: Mon, 10 Jun 2013 08:30:38 -0400 [thread overview]
Message-ID: <20130610123038.GA5089@gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 327 bytes --]
As a followup to commit 409b545a ("netfilter: xt_TCPMSS: Fix violation of RFC879
in absence of MSS option"), John Heffner points out that IPv6 has a higher MTU
than IPv4, and thus a higher minimum MSS. Update TCPMSS target to account
for this, and update RFC comment.
Phil
Signed-off-by: Phil Oester <kernel@linuxace.com>
[-- Attachment #2: patch-tcpmss_ipv6 --]
[-- Type: text/plain, Size: 2077 bytes --]
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index 53af7db..f123cbd 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -48,7 +48,8 @@ tcpmss_mangle_packet(struct sk_buff *skb,
const struct xt_tcpmss_info *info,
unsigned int in_mtu,
unsigned int tcphoff,
- unsigned int minlen)
+ unsigned int minlen,
+ unsigned int family)
{
struct tcphdr *tcph;
unsigned int tcplen, i;
@@ -126,11 +127,16 @@ tcpmss_mangle_packet(struct sk_buff *skb,
skb_put(skb, TCPOLEN_MSS);
/*
- * RFC 879 states that the default MSS is 536 without specific
- * knowledge that the destination host is prepared to accept larger.
- * Since no MSS was provided, we MUST NOT set a value > 536.
+ * IPv4: RFC 1122 states "If an MSS option is not received at connection
+ * setup, TCP MUST assume a default send MSS of 536".
+ * IPv6: RFC 2460 states IPv6 has a minimum MTU of 1280 and a minimum
+ * length IPv6 header of 60, ergo the default MSS value is 1220
+ * Since no MSS was provided, we must use the default values
*/
- newmss = min(newmss, (u16)536);
+ if (family == PF_INET)
+ newmss=min(newmss, (u16)536);
+ else
+ newmss=min(newmss, (u16)1220);
opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
@@ -192,7 +198,8 @@ tcpmss_tg4(struct sk_buff *skb, const struct xt_action_param *par)
ret = tcpmss_mangle_packet(skb, par->targinfo,
tcpmss_reverse_mtu(skb, PF_INET),
iph->ihl * 4,
- sizeof(*iph) + sizeof(struct tcphdr));
+ sizeof(*iph) + sizeof(struct tcphdr),
+ PF_INET);
if (ret < 0)
return NF_DROP;
if (ret > 0) {
@@ -221,7 +228,8 @@ tcpmss_tg6(struct sk_buff *skb, const struct xt_action_param *par)
ret = tcpmss_mangle_packet(skb, par->targinfo,
tcpmss_reverse_mtu(skb, PF_INET6),
tcphoff,
- sizeof(*ipv6h) + sizeof(struct tcphdr));
+ sizeof(*ipv6h) + sizeof(struct tcphdr),
+ PF_INET6);
if (ret < 0)
return NF_DROP;
if (ret > 0) {
next reply other threads:[~2013-06-12 3:43 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-10 12:30 Phil Oester [this message]
2013-06-14 16:03 ` [PATCH] netfilter: xt_TCPMSS: Add IPv6 default MSS Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130610123038.GA5089@gmail.com \
--to=kernel@linuxace.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.