feat(server): client_mss_bulk — raise MSS after handshake to cut pps

client_mss (e.g. "tspu", MSS=92) fragments the whole connection to evade DPI on the ServerHello, but it also fragments bulk payload, multiplying outgoing packets-per-second ~10x. On hosts whose abuse detection counts pps (not bandwidth) this trips packet-flood limits. Add an optional [server].client_mss_bulk: keep the low client_mss for the handshake (ServerHello stays fragmented => DPI bypass intact), then raise the client socket MSS to client_mss_bulk once the connection enters the post-handshake (bulk transfer) phase, so bulk data uses normal-size segments and pps drops back to normal. Same preset/int grammar as client_mss. Opt-in: when unset, the handshake MSS is kept for the whole connection (unchanged behavior). Linux-only (setsockopt TCP_MAXSEG via raw fd, mirroring TCP_USER_TIMEOUT); no-op on other unix. Documented in CONFIG_PARAMS.{en,ru}.
2026-06-28 13:51:10 +03:00 · 2026-06-17 20:24:23 +03:00
parent d1a97fe10f
commit 50b67a93d6
6 changed files with 85 additions and 0 deletions
@@ -1096,6 +1096,12 @@ impl RunningClientHandler {
        #[cfg(unix)]
        let raw_fd = self.raw_fd;
        let rst_on_close = self.rst_on_close;
+        // MSS for the bulk data phase: once the handshake (incl. ServerHello) is
+        // sent, restore a normal MSS so only the handshake stays fragmented by the
+        // low listener `client_mss`. Cuts pps ~10x (anti-DDoS abuse on pps-policing
+        // hosts like FastVPS). None = keep handshake MSS for the whole connection.
+        #[cfg(unix)]
+        let bulk_mss: Option<u16> = self.config.server.client_mss_bulk_value().ok().flatten();

        let outcome = match self.do_handshake().await? {
            Some(outcome) => outcome,
@@ -1109,6 +1115,14 @@ impl RunningClientHandler {
                if matches!(rst_on_close, crate::config::RstOnCloseMode::Errors) {
                    let _ = crate::transport::socket::clear_linger_fd(raw_fd);
                }
+                // Handshake (ServerHello) done — raise MSS for bulk transfer.
+                #[cfg(unix)]
+                if let Some(mss) = bulk_mss {
+                    if let Err(e) = crate::transport::socket::set_tcp_mss_fd(raw_fd, u32::from(mss))
+                    {
+                        debug!(error = %e, "Failed to raise bulk MSS; keeping handshake MSS");
+                    }
+                }
                fut.await
            }
            HandshakeOutcome::NeedsMasking(fut) => fut.await,