From: Phil Oester <kernel@linuxace.com>
To: David Laight <David.Laight@ACULAB.COM>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
netfilter-devel@vger.kernel.org, davem@davemloft.net,
netdev@vger.kernel.org
Subject: Re: [PATCH 3/5] netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option
Date: Mon, 10 Jun 2013 04:27:39 -0400 [thread overview]
Message-ID: <20130610082739.GA14277@gmail.com> (raw)
In-Reply-To: <AE90C24D6B3A694183C094C60CF0A2F6026B7285@saturn3.aculab.com>
On Tue, Jun 11, 2013 at 04:00:06PM +0100, David Laight wrote:
> To quote that bug:
>
> I stumbled upon this problem in debian bug #541658[1] ("[iceweasel] cannot open
> research.microsoft.com" - only worth reading for entertainment purposes) and,
> after that bug was closed, analysed it in my blog[2] until a friend of mine
> found out why the page loads when clamping mss to pmtu is disabled or
> restricted to a range (like with "iptables -A FORWARD -p tcp --tcp-flags
> SYN,RST SYN -m tcpmss --mss 1400:1536 -j TCPMSS --clamp-mss-to-pmtu") but
> doesn't load with "simple" clamping. His really great and detailed analysation
> of the problem may be seen at [3].
>
> If I read/understand that correctly, clamping to 1400 worked - there was
> no need to clamp all the way down to 536.
You are not understanding the issue correctly. The reason the command worked with
"-m tcpmss --mss 1400:1536" is because that implies an MSS option was provided.
The issue occurs only when NO MSS option is sent. In these cases, we cannot
ASSUME that it is ok to use some arbitrarily high value (1400 as you propose).
The RFC is clear on this point.
Phil
next prev parent reply other threads:[~2013-06-11 15:57 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-10 16:07 [PATCH 0/5] netfilter fixes for 3.10-rc5 Pablo Neira Ayuso
2013-06-10 16:07 ` [PATCH 1/5] netfilter: nfnetlink_acct: fix incomplete dumping of objects Pablo Neira Ayuso
2013-06-10 16:07 ` [PATCH 2/5] netfilter: nfnetlink_cttimeout: " Pablo Neira Ayuso
2013-06-10 16:07 ` [PATCH 3/5] netfilter: xt_TCPMSS: Fix violation of RFC879 in absence of MSS option Pablo Neira Ayuso
2013-06-11 8:43 ` David Laight
2013-06-10 7:19 ` Phil Oester
2013-06-11 15:00 ` David Laight
2013-06-10 8:27 ` Phil Oester [this message]
2013-06-11 16:09 ` David Laight
2013-06-11 16:25 ` Pablo Neira Ayuso
2013-06-11 18:00 ` Jeff Haran
2013-06-11 18:14 ` Rick Jones
2013-06-11 18:31 ` Jeff Haran
2013-06-21 8:27 ` Jan Engelhardt
2013-06-11 18:36 ` John Heffner
2013-06-10 16:07 ` [PATCH 4/5] netfilter: nfnetlink_queue: fix missing HW protocol Pablo Neira Ayuso
2013-06-10 16:07 ` [PATCH 5/5] ipvs: info leak in __ip_vs_get_dest_entries() Pablo Neira Ayuso
2013-06-10 20:32 ` [PATCH 0/5] netfilter fixes for 3.10-rc5 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130610082739.GA14277@gmail.com \
--to=kernel@linuxace.com \
--cc=David.Laight@ACULAB.COM \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).