From patchwork Tue Jun 4 15:09:27 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Oester X-Patchwork-Id: 248681 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id EFE082C007C for ; Wed, 5 Jun 2013 01:09:46 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757644Ab3FDPJg (ORCPT ); Tue, 4 Jun 2013 11:09:36 -0400 Received: from mail-gh0-f170.google.com ([209.85.160.170]:45609 "EHLO mail-gh0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757631Ab3FDPJc (ORCPT ); Tue, 4 Jun 2013 11:09:32 -0400 Received: by mail-gh0-f170.google.com with SMTP id z10so36076ghb.15 for ; Tue, 04 Jun 2013 08:09:31 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent:x-gm-message-state; bh=YgQCUZJUeaPlhOfyXVuF7QwRq4d3ZOC5aZC8Jn1MYSM=; b=Uj/Cs/S19Pk43QqTwMbWDg611urE0P6FbF+eI3pbrLWxiW6wpk287w0+VYou7J+tX+ q4FyLdPTKQjjQNTsOfvx27rT4/9SJwpvhNqqGq6FDwsZudUfW+F7KlLW4cX+64UNI4Ex KfRNHb0kdWx/LdNveYgX1p0iF/vMz7fCEudUJm5Be4s5UGIIUaqoeAIZkP0ldloFTDvh NOTGrbkvmA5+Kvja3TpQvLYi8WEwmw2U4xJyAwmE10GpEfmQ/pkcyUdEN+8s78sbohr2 tpvNavvowK6jHOUE+ZuhtGqCwIgo35YauCSLoo4yzi/keBedjGgBXJMR02bWreSonLqq Jkxw== X-Received: by 10.236.141.139 with SMTP id g11mr16361480yhj.16.1370358571533; Tue, 04 Jun 2013 08:09:31 -0700 (PDT) Received: from gmail.com (wsip-24-249-192-237.pn.at.cox.net. [24.249.192.237]) by mx.google.com with ESMTPSA id c67sm25547916yhc.22.2013.06.04.08.09.29 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 04 Jun 2013 08:09:30 -0700 (PDT) Date: Tue, 4 Jun 2013 11:09:27 -0400 From: Phil Oester To: netfilter-devel@vger.kernel.org Cc: pablo@netfilter.org Subject: [PATCH] netfilter: xt_TCPMSS: Avoid violating RFC 879 in absence of MSS option Message-ID: <20130604150927.GA9108@gmail.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) X-Gm-Message-State: ALoCoQlWhp7cRPGU7u6y5X/cn6fSWlh/x5n9wxGxPpK2e580B6bbAVyDuTu+5Br1O7v7Wb0gxMoO Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org As reported in bug #662, the clamp-mss-to-pmtu option of the xt_TCPMSS target can cause issues connecting to websites if there was no MSS option present in the original SYN packet from the client. In these cases, it adds an MSS higher than the default specified in RFC 879. Fix this by never setting a value > 536 IFF none was specified by the client. This closes bug #662. Phil Signed-off-by: Phil Oester diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index a75240f..53af7db 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -125,6 +125,13 @@ tcpmss_mangle_packet(struct sk_buff *skb, skb_put(skb, TCPOLEN_MSS); + /* + * RFC 879 states that the default MSS is 536 without specific + * knowledge that the destination host is prepared to accept larger. + * Since no MSS was provided, we MUST NOT set a value > 536. + */ + newmss = min(newmss, (u16)536); + opt = (u_int8_t *)tcph + sizeof(struct tcphdr); memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));