extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-23 14:48:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add TCPMSS to the allowed mangle actions.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-10-18 15:56:01 -07:00
parent 5867ce6c3b
commit 17838c1443
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
2 changed files with 83 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -4589,6 +4589,52 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
},
},
TCPMSS => {
defaultchain => FORWARD,
allowedchains => FORWARD | POSTROUTING,
minparams => 0,
maxparams => 2,
function => sub () {
if ( $proto eq '-' ) {
$proto = TCP;
} else {
fatal_error 'TCPMSS only valid with TCP' unless $proto eq '6' || $proto eq 'tcp';
}
$target = 'TCPMSS ';
$matches .= '--tcp-flags SYN,RST SYN ';
if ( supplied $params ) {
my ( $mss, $ipsec ) = split /,/, $params;
if ( supplied $mss ) {
if ( $mss eq 'pmtu' ) {
$target .= '--clamp-mss-to-pmtu';
} else {
my $num = numeric_value $mss;
fatal_error "Invalid MSS ($mss)" unless defined $num && $num >= 500 && $num < 65534;
$target .= "--set-mss $num";
}
} else {
$target .= '--clamp-mss-to-pmtu';
}
if ( supplied $ipsec && $ipsec ne 'all' ) {
if ( $ipsec eq '-' || $ipsec eq 'none' ) {
$matches .= '-m policy --pol none --dir out ';
} elsif ( $ipsec eq 'ipsec' ) {
$matches .= '-m policy --pol ipsec --dir out ';
} else {
fatal_error "Invalid ipsec parameter ($ipsec)";
}
require_capability 'POLICY_MATCH', "The $ipsec ipsec option", 's';
}
} else {
$target .= '--clamp-mss-to-pmtu';
}
},
},
TOS => {
defaultchain => 0,
allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING,

37
Shorewall/manpages/shorewall-mangle.xml
View File

@ -674,6 +674,43 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TCPMSS</emphasis>([<replaceable>mss</replaceable>][,<replaceable>ipsec</replaceable>])</term>
<listitem>
<para>Added in Shorewall 5.1.9. This target only applies to
TCP traffic and alters the MSS value in SYN packets. It may be
used in the FOWARD and POSTROUTING chains; the default is
FORWARD.</para>
<para>The <replaceable>mss</replaceable> parameter may be
either <option>pmtu</option> or an integer in the range
500:65533. The value <option>pmtu</option> automatically
clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
IPv6). This may not function as desired where asymmetric
routes with differing path MTU exist — the kernel uses the
path MTU which it would use to send packets from itself to the
source and destination IP addresses. Prior to Linux 2.6.25,
only the path MTU to the destination IP address was considered
by this option; subsequent kernels also consider the path MTU
to the source IP address. If an integer is given, the MSS
option is set to the specified value. If the MSS of the packet
is already lower than <replaceable>mss</replaceable>, it will
not be increased (from Linux 2.6.25 onwards) to avoid more
problems with hosts relying on a proper MSS. If
<replaceable>mss</replaceable> is omitted,
<option>pmtu</option> is assumed.</para>
<para>The <replaceable>ipsec</replaceable> parameter
determines whether the rule applies to IPSEC traffic
(<option>ipsec</option> is passed), non-IPSEC traffic
(<option>none</option> is passed) or both
(<option>all</option> is passed). If omitted,
<option>all</option> is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</term>