Correct interaction between FASTACCEPT and CLAMPMSS

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-11-17 18:23:19 +00:00
parent f753b4ab5c
commit 0fcc67230c
3 changed files with 22 additions and 13 deletions

View File

@ -9,6 +9,8 @@ Changes in 3.0.1
4) Clarify PORTS column in blacklist file.
5) Correct CLAMPMSS/FASTACCEPT interraction.
Changes in 3.0.0 Final
None.

View File

@ -7636,6 +7636,19 @@ verify_ip() {
# - Determine the zones
#
initialize_netfilter () {
setup_mss()
{
case $CLAMPMSS in
Yes)
option="--clamp-mss-to-pmtu"
;;
*)
option="--set-mss $CLAMPMSS"
;;
esac
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
}
report_capabilities
@ -7754,6 +7767,8 @@ initialize_netfilter () {
setpolicy INPUT DROP
setpolicy OUTPUT DROP
[ -n "$CLAMPMSS" ] && setup_mss
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
@ -7765,6 +7780,8 @@ initialize_netfilter () {
deleteallchains
[ -n "$CLAMPMSS" ] && setup_mss
setcontinue FORWARD
setcontinue INPUT
setcontinue OUTPUT
@ -7807,19 +7824,6 @@ initialize_netfilter () {
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
done
if [ -n "$CLAMPMSS" ]; then
case $CLAMPMSS in
Yes)
option="--clamp-mss-to-pmtu"
;;
*)
option="--set-mss $CLAMPMSS"
;;
esac
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
fi
accounting_file=$(find_file accounting)
[ -f $accounting_file ] && setup_accounting $accounting_file

View File

@ -17,6 +17,9 @@ Problems Corrected in 3.0.1
clarify that the PORTS column refers to destination port number/service
names.
5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the
order of the rules generated was incorrect.
New Features in 3.0.1
1) To make the macro facility more flexible, Shorewall now examines the