From: Luca Pesce <pesce.luca@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: xt_TCPMSS target dropping SYN packets with data: suggested mod
Date: Thu, 9 Jul 2009 15:41:01 +0200 [thread overview]
Message-ID: <873dce860907090641n31254e30g48886aefbbc6474e@mail.gmail.com> (raw)
Hi all,
I have a question and a possible patch/mod for target TCPMSS (xt_TCPMSS.c).
At the very beginning of function tcpmss_mangle_packet(), the skb containing the
TCP SYN packet is checked to see if it is containing data (on a side note, SYN
with data is quite unusual...); if so, the packet is drastically dropped.
The reason is explained in RR's comment to the code, I am copy/pasting the
beginning of this function with the length check at the bottom of this mail.
RR says that we cannot change MSS on a packet which is already carrying data
(it would be too late): could we relax this check, seeing if the tcp payload is
less than the MSS we are about to set?
Something like:
if (tcplen > info->mss) {
if (net_ratelimit())
printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
(*pskb)->len);
return -1;
}
With such a mod, MSS clamping would happen even for TCP SYN with data
if the data
length (instead of dropping the packet) is not exceeding the MSS we want to set.
Thanks and regards,
Luca Pesce
static int
tcpmss_mangle_packet(struct sk_buff **pskb,
const struct xt_tcpmss_info *info,
unsigned int tcphoff,
unsigned int minlen)
{
struct tcphdr *tcph;
unsigned int tcplen, i;
__be16 oldval;
u16 newmss;
u8 *opt;
if (!skb_make_writable(pskb, (*pskb)->len))
return -1;
tcplen = (*pskb)->len - tcphoff;
tcph = (struct tcphdr *)((*pskb)->nh.raw + tcphoff);
/* Since it passed flags test in tcp match, we know it is is
not a fragment, and has data >= tcp header length. SYN
packets should not contain data: if they did, then we risk
running over MTU, sending Frag Needed and breaking things
badly. --RR */
if (tcplen != tcph->doff*4) {
if (net_ratelimit())
printk(KERN_ERR "xt_TCPMSS: bad length (%u bytes)\n",
(*pskb)->len);
return -1;
}
[...]
next reply other threads:[~2009-07-09 13:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-09 13:41 Luca Pesce [this message]
2009-07-15 15:38 ` xt_TCPMSS target dropping SYN packets with data: suggested mod Patrick McHardy
2009-07-16 7:15 ` Luca Pesce
2009-07-16 11:17 ` Pascal Hambourg
2009-07-17 7:44 ` Luca Pesce
2009-07-17 9:46 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=873dce860907090641n31254e30g48886aefbbc6474e@mail.gmail.com \
--to=pesce.luca@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).