Re: NPF: TCP options

[Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>]

Maxime Villard <max%m00nbsd.net@localhost> wrote:
> <...>
> > 
> > Read the very first email of this thread, I said what was wrong about
> > not looking at the length of the TCP options.
> > 
> > It matters because of bypasses, as I said only an hour ago in the mail
> > you just quoted.
> 
> Back on this; so I tested, and it works, the scenario I described in my
> first email does bypass max-mss clamping.
> 
> That is to say, when you have a configuration of the kind:
> 
> <...>
> 
> allows you to bypass the rule. NPF reads mss=20000, but the kernel reads
> mss=30000 and registers the segment size as 30000.

Just to remind: the purpose of MSS clamping is to get things working on
misconfigured networks i.e. you put it as a workaround so the packets
would flow (rather than be dropped).  Bypassing a thing which is trying
to *help* you, as a sender, is hardly going to be useful (-- terms and
contions apply).

As I said -- I am not against having stricter defaults, but please keep
the options (an always set flag is fine for now) open for the users.
Even though we are talking about packet *filter*, as an application,
it is concerned with many more aspects that just *filtering* (in a sense
of restricting access).  MSS clamping is actually an example of that.

-- 
Mindaugas