From 0fcc67230c1c6e9039d351a512c3b0020d72fb39 Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 17 Nov 2005 18:23:19 +0000 Subject: [PATCH] Correct interaction between FASTACCEPT and CLAMPMSS git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/firewall | 30 +++++++++++++++++------------- Shorewall/releasenotes.txt | 3 +++ 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 00054fa9f..142140ffb 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -9,6 +9,8 @@ Changes in 3.0.1 4) Clarify PORTS column in blacklist file. +5) Correct CLAMPMSS/FASTACCEPT interraction. + Changes in 3.0.0 Final None. diff --git a/Shorewall/firewall b/Shorewall/firewall index 608215b3f..74acb34d3 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -7636,6 +7636,19 @@ verify_ip() { # - Determine the zones # initialize_netfilter () { + setup_mss() + { + case $CLAMPMSS in + Yes) + option="--clamp-mss-to-pmtu" + ;; + *) + option="--set-mss $CLAMPMSS" + ;; + esac + + run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option + } report_capabilities @@ -7754,6 +7767,8 @@ initialize_netfilter () { setpolicy INPUT DROP setpolicy OUTPUT DROP + [ -n "$CLAMPMSS" ] && setup_mss + setcontinue FORWARD setcontinue INPUT setcontinue OUTPUT @@ -7765,6 +7780,8 @@ initialize_netfilter () { deleteallchains + [ -n "$CLAMPMSS" ] && setup_mss + setcontinue FORWARD setcontinue INPUT setcontinue OUTPUT @@ -7807,19 +7824,6 @@ initialize_netfilter () { run_iptables -A $chain -p udp --dport 53 -j ACCEPT done - if [ -n "$CLAMPMSS" ]; then - case $CLAMPMSS in - Yes) - option="--clamp-mss-to-pmtu" - ;; - *) - option="--set-mss $CLAMPMSS" - ;; - esac - - run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option - fi - accounting_file=$(find_file accounting) [ -f $accounting_file ] && setup_accounting $accounting_file diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index e5643c532..67dc544c7 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -17,6 +17,9 @@ Problems Corrected in 3.0.1 clarify that the PORTS column refers to destination port number/service names. +5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the + order of the rules generated was incorrect. + New Features in 3.0.1 1) To make the macro facility more flexible, Shorewall now examines the