How to overwrite MSS value in SYN packets? | KernelTrap

How to overwrite MSS value in SYN packets?

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Alexey Suslikov

Subject: How to overwrite MSS value in SYN packets?

Date: Tuesday, June 3, 2008 - 12:13 am

B A <openbsd-ab@ya.ru> wrote:

quoted text> My question is how to overwrite MSS value in SYN packets?
> I have read http://www.openbsd.org/faq/pf/ and found
> scrub option.
>
> My current rule is:
> scrub all no-df max-mss 1400 random-id fragment reassemble
>
> but it's not doing what I expect. It does packet fragmentation,
> and I want actual mss rewriting for outgoing SYN packets.
> Something like
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400
> in linux.

max-mss does exactly what it says. See man 6 pf.conf

TRAFFIC NORMALIZATION
     Traffic normalization is used to sanitize packet content in such a way
     that there are no ambiguities in packet interpretation on the receiving
     side.  The normalizer does IP fragment reassembly to prevent attacks that
     confuse intrusion detection systems by sending overlapping IP fragments.
     Packet normalization is invoked with the scrub directive.

     scrub has the following options:
...
     max-mss <number>
           Enforces a maximum MSS for matching TCP packets.
...

Also, I see the rule above omits interface name so maybe you need to
explicitly specify an interface where you need to scrub.

Can you show tcpdump output to see how SYN and SYN-ACK packets
looks like?

- Alexey.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

How to overwrite MSS value in SYN packets?, Alexey Suslikov, (Tue Jun 3, 12:13 am)

Navigation

Popular discussions


linux-kernel:
Brandeburg, Jesse	RE: [regression] e1000e broke e1000 (was: Re: [ANNOUNCE] e1000 toe1000e migration ...
Robin Lee Powell	NFS hang + umount -f: better behaviour requested.
Linus Torvalds	Linux 2.6.34-rc4
Nick Piggin	Re: dealing with barriers (was Re: [PATCH] firewire: fw-core: enforce write order ...
Joe Perches	Re: [patch] checkpatch: putting the && or \|\| on the wrong line
git:
Fredrik Kuivinen	Re: fatal: unable to create '.git/index': File exists
Johannes Sixt	Re: How to pull remote branch with specified commit id?
Alex Riesen	Re: ! [rejected] master -> master (non-fast forward)
Henrik Vendelbo	only accessing some git repos: Am I configuring daemon wrong?
Johannes Schindelin	Re: git and mtime
linux-netdev:
Paulius Zaleckas	Re: [RFC] Patch to option HSO driver to the kernel
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
Timo Teräs	ip xfrm policy semantics
Ron Mercer	[net-next PATCH 2/2] qlge: Version change to v1.00.00.27
Maciej W. Rozycki	Re: [PATCH] flush_work_sync vs. flush_scheduled_work Re: [PATCH] PHYLIB: IRQ event...
openbsd-misc:
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Siju George	This is what Linus Torvalds calls openBSD crowd
new_guy	Longest Uptime?
Skylar Hawk	Re: asus eee 1201n - acpitz0 critical temperature 255C (5282K), shutting down
Nick Guenther	Re: Forum engine
git-commits-head:
Linux Kernel Mailing List	powerpc/fsl_msi: enable msi allocation in all banks
Linux Kernel Mailing List	[ARM] mmp: avengers lite (pxa168) board bring up
Linux Kernel Mailing List	checkpatch: warn on declaration with storage class not at the beginning
Linux Kernel Mailing List	USB: remove duplicate entry in Option driver and Pl2303 driver for Huawei modem
Linux Kernel Mailing List	swiotlb: replace architecture-specific swiotlb.h with linux/swiotlb.h

Colocation donated by:

Syndicate