Correct interaction between FASTACCEPT and CLAMPMSS

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3013 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -9,6 +9,8 @@ Changes in 3.0.1
 
 4) Clarify PORTS column in blacklist file.
 
+5) Correct CLAMPMSS/FASTACCEPT interraction.
+
 Changes in 3.0.0 Final
 
 None.

Shorewall/firewall

@@ -7636,6 +7636,19 @@ verify_ip() {
 #	- Determine the zones
 #
 initialize_netfilter () {
+    setup_mss()
+    {
+	case $CLAMPMSS in
+	    Yes)
+		option="--clamp-mss-to-pmtu"
+		;;
+	    *)
+		option="--set-mss $CLAMPMSS"
+		;;
+	esac
+
+	run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
+    }
 
     report_capabilities
 
@@ -7754,6 +7767,8 @@ initialize_netfilter () {
 	setpolicy INPUT DROP
 	setpolicy OUTPUT DROP
 
+	[ -n "$CLAMPMSS" ] && setup_mss
+
 	setcontinue FORWARD
 	setcontinue INPUT
 	setcontinue OUTPUT
@@ -7765,6 +7780,8 @@ initialize_netfilter () {
 
 	deleteallchains
 
+	[ -n "$CLAMPMSS" ] && setup_mss
+
 	setcontinue FORWARD
 	setcontinue INPUT
 	setcontinue OUTPUT
@@ -7807,19 +7824,6 @@ initialize_netfilter () {
 	run_iptables -A $chain -p udp --dport 53 -j ACCEPT
     done
 
-    if [ -n "$CLAMPMSS" ]; then
-	case $CLAMPMSS in
-	    Yes)
-		option="--clamp-mss-to-pmtu"
-		;;
-	    *)
-		option="--set-mss $CLAMPMSS"
-		;;
-	esac
-
-	run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option
-    fi
-
     accounting_file=$(find_file accounting)
 
     [ -f $accounting_file ] && setup_accounting $accounting_file

Shorewall/releasenotes.txt

@@ -17,6 +17,9 @@ Problems Corrected in 3.0.1
    clarify that the PORTS column refers to destination port number/service
    names.
 
+5) When CLAMPMSS is set to a value other than "No" and FASTACCEPT=Yes, the
+   order of the rules generated was incorrect.
+
 New Features in 3.0.1
 
 1)  To make the macro facility more flexible, Shorewall now examines the