From patchwork Wed May 20 09:16:10 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ralf Lici X-Patchwork-Id: 4958 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:b695:b0:861:c897:cb9d with SMTP id dh21csp717175mab; Wed, 20 May 2026 02:17:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ/oSxpIg6J+SomsK5+8ZBpW9uF0sRkZfKcjGv8JSD/s2U8VX1VHk+Tu1YF6qtRxTk7fqYBMM3tJYuY=@openvpn.net X-Received: by 2002:a05:6870:6e0e:b0:42c:6ea:3227 with SMTP id 586e51a60fabf-43a2defc15cmr15385208fac.19.1779268626759; Wed, 20 May 2026 02:17:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1779268626; cv=none; d=google.com; s=arc-20240605; b=YXP8XCyq90GAEtBuNLVC7V/QAlukksYXZ834BQZRvGKeg43cTT2b4HXO1wdB+9smuT zscuK08FwMz0POtdlGVhukZSj4bcvkJKQbRzi/sz2wQrxYr7W5ujpgpva6gSWHbDs8wM J3NYmSPimiVNuTFkkMZK2ESRTdOv4rLui3VGqU6fvgON4x1saTUyhhc+TraUWf0N930d PYIXsyqE17ShXIX4yB5T3DJsUFgv3WA2JLZjyJHnMZnKS5531XDZm32kQf5QvmoMeP/j 2h61LVZMk3TY6jiNU1sdX9VNuohYRgeoeYslEaSGR58do4D0OyrkSBNjtr6bVzyAQfMH uJmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature :dkim-signature:dkim-signature; bh=SBUQ5el1fu8pVKn+3UMukbR+mInP3ao2fZILSdpq6eU=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=OJAMpjwaMkobLGcUv1RZj+y+j0ib5AmHMtyfLzVqWTy+lvaDfqsY0Ah+xR2AS3Ij70 1D8iIKJz8H0IaWSYCQibXx2qLQSDiBp/R8Z4GEMoCTJkFMfZtUc2nsX7xFBjFDABFncu MMsMpCsg6J1pj3FHy8//nZnEFC/TJNqpIn8H6Pke1MgIDgzE0hfax99O7G/ECz2o10A8 9QBomSUgvB8qhxE/YlQsCo5k+525gw64GIYoLrX5DR/hDuEuhJTF2XgvYg/7cbRG5cTU VbUEC1qqAmiqH5HPHHn59LZjm+xdh/aNMB5grpbVEnnQSNGZREz6uNzBKoYxwSYCu5Z6 k2Yg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Chw+98Mp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IjZuBySK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TRMpCI3u; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=vG8fqOwj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-43a958999a9si8118074fac.330.2026.05.20.02.17.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 May 2026 02:17:06 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Chw+98Mp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=IjZuBySK; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=TRMpCI3u; dkim=neutral (body hash did not verify) header.i=@mandelbit.com header.s=MBO0001 header.b=vG8fqOwj; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:Message-ID:Date:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=SBUQ5el1fu8pVKn+3UMukbR+mInP3ao2fZILSdpq6eU=; b=Chw+98MpmyGnfR3i0Vclhvt2F+ OjlGERNcix7dcSuUs2DV3v2gBgHXF7RoMfWdIVyiDOcTY+d6Zqz5+KJW7ERfpIRE+L9bON/bVgFt3 NzCD9OIMxIRZs4HFPs0sKHku13JZWHnNY1qE94Dv9qmUF9ypcKYLYFRhlTKgDjX2KxyA=; Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wPd2y-00024D-Cn; Wed, 20 May 2026 09:17:01 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wPd2f-00022C-N3 for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2026 09:16:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-ID: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zO9EkoQ2m0Q7Pm1eR2ehLDemZUR2qATQKJ0PO/RwOgk=; b=IjZuBySKKwl7XSfclkMN2fWO7R tr2xsSfwDrgnN2U91MX83B5o0G2xYbpSTn+DK9EKpWhHh4bmauq3kstYtMUZ/XS+as+ZUjzMZZv69 WcGec/PdFmCmFikX4V/0JQk+0/HZAUnoCtDChWWnC68AKgQ+6p2H1D+4udEZh29+Pm5A=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-ID:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=zO9EkoQ2m0Q7Pm1eR2ehLDemZUR2qATQKJ0PO/RwOgk=; b=T RMpCI3uOS+/ZFzNWa0gVSoN6ZuCKf02tYzz2S/pVG1toje4vu0XCXxZvqLmiO2QkLklACCvVJk2ef rd9YEs39f3ZqOWbzk89WO5TuTrsKNnZVgUGdN81cUOhdJvdRi5LtGVJxZ/7bxoBkNXPoCYn0Ke97q lfCKwC7iNkBRRP5g=; Received: from mout-b-210.mailbox.org ([195.10.208.40]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wPd2X-0003Ow-6T for openvpn-devel@lists.sourceforge.net; Wed, 20 May 2026 09:16:36 +0000 Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-210.mailbox.org (Postfix) with ESMTPS id 4gL5WY0qNrzDx4d; Wed, 20 May 2026 11:16:25 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mandelbit.com; s=MBO0001; t=1779268585; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=zO9EkoQ2m0Q7Pm1eR2ehLDemZUR2qATQKJ0PO/RwOgk=; b=vG8fqOwjuUXZieHO6J0eWo4PRAf9Uxia8H1s/963Jcs5sazk4C/iYeB6i1KDJOaGiDE7VX q2kpAXPihlne2U7UAzNukltGjw2vsCbtGvlPgeNZOdyCSuGMI8vsGQfx+f537hACjXG38P 2T8ssFF4gZY2ccU5sYaFNP+JGerAZchhAPCidnKc3tPwrsDEYBiepnL8skurQSHHgTR0T3 6DBKwDfjdQ92tXI3ZMf4HfH6gGvJGUMjf3+F4QvUCMdz/3PCVLLvxZlwaDaJEE0rsXaQ+o QNLi6yEBfizVY73gagooVrWktRipRCUvD8gya7l2Lyr8eqjlEjpLKK3NP2n3rg== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of ralf@mandelbit.com designates 2001:67c:2050:b231:465::202 as permitted sender) smtp.mailfrom=ralf@mandelbit.com From: Ralf Lici To: openvpn-devel@lists.sourceforge.net Date: Wed, 20 May 2026 11:16:10 +0200 Message-ID: <20260520091613.158891-1-ralf@mandelbit.com> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4gL5WY0qNrzDx4d X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: xt_TCPMSS has local logic for scanning TCP options and lowering an existing MSS option without increasing it. Move that scan-and-clamp logic into a TCP helper so other networking code can reuse it without duplicating TCP option parsing. Keep xt_TCPMSS responsible for the policy-specific behavior of adding a m [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1wPd2X-0003Ow-6T Subject: [Openvpn-devel] [PATCH ovpn net-next v4 1/3] tcp: factor out TCP MSS option clamping X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1865698379734139983?= X-GMAIL-MSGID: =?utf-8?q?1865698379734139983?= xt_TCPMSS has local logic for scanning TCP options and lowering an existing MSS option without increasing it. Move that scan-and-clamp logic into a TCP helper so other networking code can reuse it without duplicating TCP option parsing. Keep xt_TCPMSS responsible for the policy-specific behavior of adding a missing MSS option. Linux TCP option parsing keeps scanning after an MSS option, so a later duplicate can override an earlier value at the receiver. While factoring out the scan, keep walking the TCP option block after a valid MSS option and clamp later MSS options as well, while preserving the rule that MSS values are never increased. The helper returns 0 when at least one MSS option was handled, whether or not any value had to be lowered. It returns -ENOENT when no MSS option is present and -EINVAL when option parsing fails before any MSS option is found. If parsing fails after an MSS option was handled, the helper still returns 0 so callers do not treat the packet as missing an MSS option after the skb may already have been modified. Signed-off-by: Ralf Lici --- Changes since v3 https://lore.kernel.org/openvpn-devel/20260519080500.120724-1-ralf@mandelbit.com/ - keep scanning the TCP option block and clamp all MSS options No changes since v2 https://lore.kernel.org/openvpn-devel/20260518085908.135570-1-ralf@mandelbit.com/ No changes since v1 https://lore.kernel.org/openvpn-devel/20260515075941.102225-1-ralf@mandelbit.com/ include/net/tcp.h | 2 ++ net/ipv4/tcp.c | 70 +++++++++++++++++++++++++++++++++++++++ net/netfilter/xt_TCPMSS.c | 36 ++------------------ 3 files changed, 74 insertions(+), 34 deletions(-) diff --git a/include/net/tcp.h b/include/net/tcp.h index 3c4e6adb0dbd..e722c7d936bf 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -538,6 +538,8 @@ void tcp_parse_options(const struct net *net, const struct sk_buff *skb, struct tcp_options_received *opt_rx, int estab, struct tcp_fastopen_cookie *foc); +int tcp_clamp_mss_option(struct sk_buff *skb, struct tcphdr *th, u16 maxmss); + /* * BPF SKB-less helpers */ diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 21ece4c71612..521aa63f5958 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -721,6 +721,76 @@ static inline void tcp_mark_urg(struct tcp_sock *tp, int flags) tp->snd_up = tp->write_seq; } +/** + * tcp_clamp_mss_option - clamp any existing TCP MSS option + * @skb: skb containing the TCP segment + * @th: TCP header in @skb + * @maxmss: upper bound for the TCP MSS option value + * + * Parse the TCP option block and lower any existing MSS option to @maxmss. + * The MSS value is never increased. If any MSS value is changed, the TCP + * checksum in @th is updated. + * + * The caller must ensure that @th and the complete TCP option block are + * present in the linear data area and writable. + * + * Return: 0 when at least one MSS option was handled, -ENOENT when no MSS + * option is present, or -EINVAL when the TCP option block is malformed before + * any MSS option is found. + */ +int tcp_clamp_mss_option(struct sk_buff *skb, struct tcphdr *th, u16 maxmss) +{ + int length = th->doff * 4 - sizeof(*th); + u8 *ptr = (u8 *)(th + 1); + bool found = false; + int ret = -ENOENT; + u16 oldmss; + + while (length > 0) { + int opcode = *ptr++; + int opsize; + + switch (opcode) { + case TCPOPT_EOL: + ret = -ENOENT; + goto out; + case TCPOPT_NOP: + length--; + continue; + default: + if (length < 2) { + ret = -EINVAL; + goto out; + } + + opsize = *ptr++; + if (opsize < 2 || opsize > length) { + ret = -EINVAL; + goto out; + } + + if (opcode == TCPOPT_MSS && opsize == TCPOLEN_MSS) { + found = true; + oldmss = get_unaligned_be16(ptr); + if (oldmss && oldmss > maxmss) { + put_unaligned_be16(maxmss, ptr); + inet_proto_csum_replace2(&th->check, + skb, + htons(oldmss), + htons(maxmss), + false); + } + } + + ptr += opsize - 2; + length -= opsize; + } + } +out: + return found ? 0 : ret; +} +EXPORT_SYMBOL_GPL(tcp_clamp_mss_option); + /* If a not yet filled skb is pushed, do not send it if * we have data packets in Qdisc or NIC queues : * Because TX completion will happen shortly, it gives a chance diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c index 80e1634bc51f..70983b757229 100644 --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -30,16 +30,6 @@ MODULE_DESCRIPTION("Xtables: TCP Maximum Segment Size (MSS) adjustment"); MODULE_ALIAS("ipt_TCPMSS"); MODULE_ALIAS("ip6t_TCPMSS"); -static inline unsigned int -optlen(const u_int8_t *opt, unsigned int offset) -{ - /* Beware zero-length options: make finite progress */ - if (opt[offset] <= TCPOPT_NOP || opt[offset+1] == 0) - return 1; - else - return opt[offset+1]; -} - static u_int32_t tcpmss_reverse_mtu(struct net *net, const struct sk_buff *skb, unsigned int family) @@ -77,7 +67,6 @@ tcpmss_mangle_packet(struct sk_buff *skb, const struct xt_tcpmss_info *info = par->targinfo; struct tcphdr *tcph; int len, tcp_hdrlen; - unsigned int i; __be16 oldval; u16 newmss; u8 *opt; @@ -113,29 +102,8 @@ tcpmss_mangle_packet(struct sk_buff *skb, } else newmss = info->mss; - opt = (u_int8_t *)tcph; - for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i += optlen(opt, i)) { - if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) { - u_int16_t oldmss; - - oldmss = (opt[i+2] << 8) | opt[i+3]; - - /* Never increase MSS, even when setting it, as - * doing so results in problems for hosts that rely - * on MSS being set correctly. - */ - if (oldmss <= newmss) - return 0; - - opt[i+2] = (newmss & 0xff00) >> 8; - opt[i+3] = newmss & 0x00ff; - - inet_proto_csum_replace2(&tcph->check, skb, - htons(oldmss), htons(newmss), - false); - return 0; - } - } + if (tcp_clamp_mss_option(skb, tcph, newmss) == 0) + return 0; /* There is data after the header so the option can't be added * without moving it, and doing so may make the SYN packet