From patchwork Tue May 19 08:04:42 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4954 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:324e:b0:84a:48f:a1fd with SMTP id s14csp2263001maf; Tue, 19 May 2026 01:06:01 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/DvngBm5gjcIRvbEkMfeQFAtuLxE4uaIaA0iRYcEcsBVfZ3XmGc/oOZCBINR/jkCOj2aj+Ul80MiQ=@openvpn.net X-Received: by 2002:a05:6820:2910:b0:696:2cb1:a019 with SMTP id 006d021491bc7-69c9436f529mr11919520eaf.28.1779177961000; Tue, 19 May 2026 01:06:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779177960; cv=none; d=google.com; s=arc-20240605; b=aKqWnkquzmIVOCFIPin0IZ1yW5A+oYtq6CF2bNYLQGTQXgu1jKTNSd9yx8nMXZuvSm 7K/Dh5zfd+fwwHn7XMfgCBoH5SaDL0Kr1K9gjvAEWIEhvkXSNg/M83ReqOm/2Tvuho2l ssvlcs/e9nTt2HM1/wNKISXZoYTY6NCjjYiuUXj+488paxeLI3tlaT9rFFsQ+/T/fQZ7 6nFP9+zJNjN0Hbj+yycklf2Sm5PAFwm/eyFPLubR5ngRoXAUVPIEQqPDeKy3vObT+Fq+ dzARdGFBUnyyHeETgg2VMSG5ZOkJ2lMvFnJsztu9pju8Exy2iQZZLLkEaOAuwXVpoOMp szJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=kdXG2UiYRKXRgWRYqeXNrH+4lIFsoqu5PBeKxpGun90=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=dGRyDHBMXCCX7Ri4X5ZJ2NP0E1atjeuRdvNCQVzRXuLvgEorVOlCvMR0ZuLf3pB00h gnxLda1u0JlWUZGp0c3ngJsDlRmb+/ZfRtShlCkYEIrswxCZ29mEfP+2PoVKobU0VyNM Pe5OWAQM0LRXPeTSO62I1ELU8gJke21XTabHnREtxgSzotOBXRy1zYptKbk3uHgzyyvF 1mpHoJFj4tVi6pOa3YlACIRPtzBwIvpb9WKLp7H29zvv3hVvE6ukMb3P7ZhVwRW28hi3 YsZxhAtCeJY1r0wZQiy6bqIRBOSQyq5E5RliirFH1y/D2sBYY2/wZzvnHEd3UNyIvKSe G9pA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iCsrn+Xy; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XF1sI9Wq; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=R1mAiHcC; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=b4gcjtfi; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-43a94f57065si5462530fac.32.2026.05.19.01.06.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 May 2026 01:06:00 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iCsrn+Xy; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XF1sI9Wq; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=R1mAiHcC; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=b4gcjtfi; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=kdXG2UiYRKXRgWRYqeXNrH+4lIFsoqu5PBeKxpGun90=; b=iCsrn+XyQ1hrzTH+Gw8fU/8+Yo 7uZFdTFYsZ8HH0D0+/U9wK7tgsfUpwBLHYv7APsO934nsg4XmulQ61EWd7dGwLASXmjl71vLHyLLE Y5q4DUkAVtaMC1Uj9qMlSzclF6EJrglS6cNNB2BMLl5D/RMwEgBhuEpnJKOsuEu7dtDA=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wPFSX-0005rx-2b; Tue, 19 May 2026 08:05:49 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wPFST-0005ro-8m for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2026 08:05:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7QC2l8qDZvAf44ABZOWwe3gDYQN0dhoWaNzG4gRhy0k=; b=XF1sI9WqFDvqLXn+Ymiv1R3o6t 6CF0MDqitzt1/ra9In4TP0xKRFSwVCvYvsezghIBIH4j7LBvpu+A/Ct4riDvinxyQ7rzkLxZN2klZ lSuR5Jz3DzpTqChQensZA/tkc9gmn7KW8aJN+APLNmdWwJiyZ/kSQ0Th6p0JQp8DJrW8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=7QC2l8qDZvAf44ABZOWwe3gDYQN0dhoWaNzG4gRhy0k=; b=R 1mAiHcC/X3k1c+sxw3VDS0tv1tQV7UzDsEsof3vC4LbfMjV9YmvFMu6/PGImHIIyqYVtw+CdNSbJ7 akmPV7aD+LRkYNkqoCkrCE11mQ6y97ZnjymCNuaZfPluVx2l7ZAyBM5KSI2shayM8dtUfuvXLTffo SyLlxHoeb+YhlUj4=; Received: from mout-b-112.mailbox.org ([195.10.208.42]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wPFSQ-00044U-Jj for openvpn-devel@lists.sourceforge.net; Tue, 19 May 2026 08:05:45 +0000 Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-112.mailbox.org (Postfix) with ESMTPS id 4gKS090HLtzDvNT; Tue, 19 May 2026 10:05:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1779177929; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=7QC2l8qDZvAf44ABZOWwe3gDYQN0dhoWaNzG4gRhy0k=; b=b4gcjtfi1EdepLQyJ20to/t3aP175LopNREBn+SkErj58H1IOv+WdTXM/fgG/wFo0HN2Kj h2rl1DKcHSq5Xk4aUMZKaInUV5UA1vO38XIoMxdmdluf2nozHKj0X5EwuQEXpYsmG4SE2a R47jxK/yk9EUqTEWQOM9Ig9K1x+guStVo4jB9CGpf1630P4+1CzmDUTFlmM58lx4lIYTCP wp9hhEFQL6gsoxz4tyHlOe5QxKTOGmf9ab0/DzTpan34v1Kp5e+zlsiTfYh9+2H974PFBi cxHfbW+yDQcm1oObqx2P/xEX3luTTjOsI0P+gpOTqoWQtrBRo5lzcTF61boXsQ== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ralf@mandelbit.com designates 2001:67c:2050:b231:465::1 as permitted sender) smtp.mailfrom=ralf@mandelbit.com From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 May 2026 10:04:42 +0200 Message-ID: <20260519080500.120724-1-ralf@mandelbit.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gKS090HLtzDvNT X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: xt_TCPMSS has local logic for scanning TCP options and lowering an existing MSS option without increasing it. Move that scan-and-clamp logic into a TCP helper so other networking code can reuse it without duplicating TCP option parsing. Keep xt_TCPMSS responsible for the policy-specific behavior of adding a m [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [195.10.208.42 listed in wl.mailspike.net] X-Headers-End: 1wPFSQ-00044U-Jj Subject: [Openvpn-devel] [PATCH ovpn net-next v3 1/3] tcp: factor out TCP MSS option clamping X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1865603309929186853?= X-GMAIL-MSGID: =?utf-8?q?1865603309929186853?= xt_TCPMSS has local logic for scanning TCP options and lowering an existing MSS option without increasing it. Move that scan-and-clamp logic into a TCP helper so other networking code can reuse it without duplicating TCP option parsing. Keep xt_TCPMSS responsible for the policy-specific behavior of adding a missing MSS option. The helper returns 0 when an existing MSS option was handled, whether or not it had to be lowered. It returns -ENOENT when no MSS option is present and -EINVAL when option parsing finds a malformed option block. xt_TCPMSS treats both non-zero cases like the previous local scan failing to find a clampable MSS option, so the target keeps its existing fallback behavior for adding a missing MSS option or accepting the packet unchanged. The helper expects the caller to ensure that the TCP header and options are linear and writable. Signed-off-by: Ralf Lici --- No changes since v2 https://lore.kernel.org/openvpn-devel/20260518085908.135570-1-ralf@mandelbit.com/ No changes since v1 https://lore.kernel.org/openvpn-devel/20260515075941.102225-1-ralf@mandelbit.com/ include/net/tcp.h | 2 ++ net/ipv4/tcp.c | 60 +++++++++++++++++++++++++++++++++++++++ net/netfilter/xt_TCPMSS.c | 36 ++--------------------- 3 files changed, 64 insertions(+), 34 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 3c4e6adb0dbd..e722c7d936bf 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -538,6 +538,8 @@ void tcp_parse_options(const struct net *net, const struct sk_buff *skb, struct tcp_options_received *opt_rx, int estab, struct tcp_fastopen_cookie *foc); +int tcp_clamp_mss_option(struct sk_buff *skb, struct tcphdr *th, u16 maxmss); + /* * BPF SKB-less helpers */ diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 21ece4c71612..ef10e530a1ad 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -721,6 +721,66 @@ static inline void tcp_mark_urg(struct tcp_sock *tp, int flags) tp->snd_up = tp->write_seq; } +/** + * tcp_clamp_mss_option - clamp an existing TCP MSS option + * @skb: skb containing the TCP segment + * @th: TCP header in @skb + * @maxmss: upper bound for the TCP MSS option value + * + * Parse the TCP option block and lower an existing MSS option to @maxmss. + * The MSS value is never increased. If the MSS value is changed, the TCP + * checksum in @th is updated. + * + * The caller must ensure that @th and the complete TCP option block are + * present in the linear data area and writable. + * + * Return: 0 on success or when no update is needed, -ENOENT when no MSS + * option is present, or -EINVAL when the TCP option block is malformed. + */ +int tcp_clamp_mss_option(struct sk_buff *skb, struct tcphdr *th, u16 maxmss) +{ + int length = th->doff * 4 - sizeof(*th); + u8 *ptr = (u8 *)(th + 1); + u16 oldmss; + + while (length > 0) { + int opcode = *ptr++; + int opsize; + + switch (opcode) { + case TCPOPT_EOL: + return -ENOENT; + case TCPOPT_NOP: + length--; + continue; + default: + if (length < 2) + return -EINVAL; + + opsize = *ptr++; + if (opsize < 2 || opsize > length) + return -EINVAL; + + if (opcode == TCPOPT_MSS && opsize == TCPOLEN_MSS) { + oldmss = get_unaligned_be16(ptr); + if (!oldmss || oldmss <= maxmss) + return 0; + + put_unaligned_be16(maxmss, ptr); + inet_proto_csum_replace2(&th->check, skb, + htons(oldmss), + htons(maxmss), false); + return 0; + } + + ptr += opsize - 2; + length -= opsize; + } + } + return -ENOENT; +} +EXPORT_SYMBOL_GPL(tcp_clamp_mss_option); + /* If a not yet filled skb is pushed, do not send it if * we have data packets in Qdisc or NIC queues : * Because TX completion will happen shortly, it gives a chance diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 80e1634bc51f..70983b757229 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -30,16 +30,6 @@ MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment"); MODULE_ALIAS("ipt_TCPMSS"); MODULE_ALIAS("ip6t_TCPMSS"); -static inline unsigned int -optlen(const u_int8_t *opt, unsigned int offset) -{ - /* Beware zero-length options: make finite progress */ - if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) - return 1; - else - return opt[offset+1]; -} - static u_int32_t tcpmss_reverse_mtu(struct net *net, const struct sk_buff *skb, unsigned int family) @@ -77,7 +67,6 @@ tcpmss_mangle_packet(struct sk_buff *skb, const struct xt_tcpmss_info *info = par->targinfo; struct tcphdr *tcph; int len, tcp_hdrlen; - unsigned int i; __be16 oldval; u16 newmss; u8 *opt; @@ -113,29 +102,8 @@ tcpmss_mangle_packet(struct sk_buff *skb, } else newmss = info->mss; - opt = (u_int8_t *)tcph; - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { - if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) { - u_int16_t oldmss; - - oldmss = (opt[i+2] << 8) | opt[i+3]; - - /* Never increase MSS, even when setting it, as - * doing so results in problems for hosts that rely - * on MSS being set correctly. - */ - if (oldmss <= newmss) - return 0; - - opt[i+2] = (newmss & 0xff00) >> 8; - opt[i+3] = newmss & 0x00ff; - - inet_proto_csum_replace2(&tcph->check, skb, - htons(oldmss), htons(newmss), - false); - return 0; - } - } + if (tcp_clamp_mss_option(skb, tcph, newmss) == 0) + return 0; /* There is data after the header so the option can't be added * without moving it, and doing so may make the SYN packet