diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 17f6d4279..6c5495ad9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -4589,6 +4589,52 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
},
},
+ TCPMSS => {
+ defaultchain => FORWARD,
+ allowedchains => FORWARD | POSTROUTING,
+ minparams => 0,
+ maxparams => 2,
+ function => sub () {
+ if ( $proto eq '-' ) {
+ $proto = TCP;
+ } else {
+ fatal_error 'TCPMSS only valid with TCP' unless $proto eq '6' || $proto eq 'tcp';
+ }
+
+ $target = 'TCPMSS ';
+ $matches .= '--tcp-flags SYN,RST SYN ';
+
+ if ( supplied $params ) {
+ my ( $mss, $ipsec ) = split /,/, $params;
+
+ if ( supplied $mss ) {
+ if ( $mss eq 'pmtu' ) {
+ $target .= '--clamp-mss-to-pmtu';
+ } else {
+ my $num = numeric_value $mss;
+ fatal_error "Invalid MSS ($mss)" unless defined $num && $num >= 500 && $num < 65534;
+ $target .= "--set-mss $num";
+ }
+ } else {
+ $target .= '--clamp-mss-to-pmtu';
+ }
+ if ( supplied $ipsec && $ipsec ne 'all' ) {
+ if ( $ipsec eq '-' || $ipsec eq 'none' ) {
+ $matches .= '-m policy --pol none --dir out ';
+ } elsif ( $ipsec eq 'ipsec' ) {
+ $matches .= '-m policy --pol ipsec --dir out ';
+ } else {
+ fatal_error "Invalid ipsec parameter ($ipsec)";
+ }
+
+ require_capability 'POLICY_MATCH', "The $ipsec ipsec option", 's';
+ }
+ } else {
+ $target .= '--clamp-mss-to-pmtu';
+ }
+ },
+ },
+
TOS => {
defaultchain => 0,
allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml
index fd847ec3f..b9e99579e 100644
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -674,6 +674,43 @@ SAME $FW 0.0.0.0/0 tcp 80,443
+
+ TCPMSS([mss][,ipsec])
+
+
+ Added in Shorewall 5.1.9. This target only applies to
+ TCP traffic and alters the MSS value in SYN packets. It may be
+ used in the FOWARD and POSTROUTING chains; the default is
+ FORWARD.
+
+ The mss parameter may be
+ either or an integer in the range
+ 500:65533. The value automatically
+ clamps the MSS value to (path_MTU - 40 for IPv4; -60 for
+ IPv6). This may not function as desired where asymmetric
+ routes with differing path MTU exist — the kernel uses the
+ path MTU which it would use to send packets from itself to the
+ source and destination IP addresses. Prior to Linux 2.6.25,
+ only the path MTU to the destination IP address was considered
+ by this option; subsequent kernels also consider the path MTU
+ to the source IP address. If an integer is given, the MSS
+ option is set to the specified value. If the MSS of the packet
+ is already lower than mss, it will
+ not be increased (from Linux 2.6.25 onwards) to avoid more
+ problems with hosts relying on a proper MSS. If
+ mss is omitted,
+ is assumed.
+
+ The ipsec parameter
+ determines whether the rule applies to IPSEC traffic
+ ( is passed), non-IPSEC traffic
+ ( is passed) or both
+ ( is passed). If omitted,
+ is assumed.
+
+
+
TOS(tos[/mask])