mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-14 03:34:31 +01:00
Correct interaction between FASTACCEPT and CLAMPMSS
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f753b4ab5c
commit
0fcc67230c
@ -9,6 +9,8 @@ Changes in 3.0.1
|
|||||||
|
|
||||||
4) Clarify PORTS column in blacklist file.
|
4) Clarify PORTS column in blacklist file.
|
||||||
|
|
||||||
|
5) Correct CLAMPMSS/FASTACCEPT interraction.
|
||||||
|
|
||||||
Changes in 3.0.0 Final
|
Changes in 3.0.0 Final
|
||||||
|
|
||||||
None.
|
None.
|
||||||
|
@ -7636,6 +7636,19 @@ verify_ip() {
|
|||||||
# - Determine the zones
|
# - Determine the zones
|
||||||
#
|
#
|
||||||
initialize_netfilter () {
|
initialize_netfilter () {
|
||||||
|
setup_mss()
|
||||||
|
{
|
||||||
|
case $CLAMPMSS in
|
||||||
|
Yes)
|
||||||
|
option="--clamp-mss-to-pmtu"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
option="--set-mss $CLAMPMSS"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
|
||||||
|
}
|
||||||
|
|
||||||
report_capabilities
|
report_capabilities
|
||||||
|
|
||||||
@ -7754,6 +7767,8 @@ initialize_netfilter () {
|
|||||||
setpolicy INPUT DROP
|
setpolicy INPUT DROP
|
||||||
setpolicy OUTPUT DROP
|
setpolicy OUTPUT DROP
|
||||||
|
|
||||||
|
[ -n "$CLAMPMSS" ] && setup_mss
|
||||||
|
|
||||||
setcontinue FORWARD
|
setcontinue FORWARD
|
||||||
setcontinue INPUT
|
setcontinue INPUT
|
||||||
setcontinue OUTPUT
|
setcontinue OUTPUT
|
||||||
@ -7765,6 +7780,8 @@ initialize_netfilter () {
|
|||||||
|
|
||||||
deleteallchains
|
deleteallchains
|
||||||
|
|
||||||
|
[ -n "$CLAMPMSS" ] && setup_mss
|
||||||
|
|
||||||
setcontinue FORWARD
|
setcontinue FORWARD
|
||||||
setcontinue INPUT
|
setcontinue INPUT
|
||||||
setcontinue OUTPUT
|
setcontinue OUTPUT
|
||||||
@ -7807,19 +7824,6 @@ initialize_netfilter () {
|
|||||||
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
|
run_iptables -A $chain -p udp --dport 53 -j ACCEPT
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "$CLAMPMSS" ]; then
|
|
||||||
case $CLAMPMSS in
|
|
||||||
Yes)
|
|
||||||
option="--clamp-mss-to-pmtu"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
option="--set-mss $CLAMPMSS"
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
|
|
||||||
fi
|
|
||||||
|
|
||||||
accounting_file=$(find_file accounting)
|
accounting_file=$(find_file accounting)
|
||||||
|
|
||||||
[ -f $accounting_file ] && setup_accounting $accounting_file
|
[ -f $accounting_file ] && setup_accounting $accounting_file
|
||||||
|
@ -17,6 +17,9 @@ Problems Corrected in 3.0.1
|
|||||||
clarify that the PORTS column refers to destination port number/service
|
clarify that the PORTS column refers to destination port number/service
|
||||||
names.
|
names.
|
||||||
|
|
||||||
|
5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the
|
||||||
|
order of the rules generated was incorrect.
|
||||||
|
|
||||||
New Features in 3.0.1
|
New Features in 3.0.1
|
||||||
|
|
||||||
1) To make the macro facility more flexible, Shorewall now examines the
|
1) To make the macro facility more flexible, Shorewall now examines the
|
||||||
|
Loading…
Reference in New Issue
Block a user