diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 17f6d4279..6c5495ad9 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -4589,6 +4589,52 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) { }, }, + TCPMSS => { + defaultchain => FORWARD, + allowedchains => FORWARD | POSTROUTING, + minparams => 0, + maxparams => 2, + function => sub () { + if ( $proto eq '-' ) { + $proto = TCP; + } else { + fatal_error 'TCPMSS only valid with TCP' unless $proto eq '6' || $proto eq 'tcp'; + } + + $target = 'TCPMSS '; + $matches .= '--tcp-flags SYN,RST SYN '; + + if ( supplied $params ) { + my ( $mss, $ipsec ) = split /,/, $params; + + if ( supplied $mss ) { + if ( $mss eq 'pmtu' ) { + $target .= '--clamp-mss-to-pmtu'; + } else { + my $num = numeric_value $mss; + fatal_error "Invalid MSS ($mss)" unless defined $num && $num >= 500 && $num < 65534; + $target .= "--set-mss $num"; + } + } else { + $target .= '--clamp-mss-to-pmtu'; + } + if ( supplied $ipsec && $ipsec ne 'all' ) { + if ( $ipsec eq '-' || $ipsec eq 'none' ) { + $matches .= '-m policy --pol none --dir out '; + } elsif ( $ipsec eq 'ipsec' ) { + $matches .= '-m policy --pol ipsec --dir out '; + } else { + fatal_error "Invalid ipsec parameter ($ipsec)"; + } + + require_capability 'POLICY_MATCH', "The $ipsec ipsec option", 's'; + } + } else { + $target .= '--clamp-mss-to-pmtu'; + } + }, + }, + TOS => { defaultchain => 0, allowedchains => PREROUTING | FORWARD | OUTPUT | POSTROUTING, diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml index fd847ec3f..b9e99579e 100644 --- a/Shorewall/manpages/shorewall-mangle.xml +++ b/Shorewall/manpages/shorewall-mangle.xml @@ -674,6 +674,43 @@ SAME $FW 0.0.0.0/0 tcp 80,443 + + TCPMSS([mss][,ipsec]) + + + Added in Shorewall 5.1.9. This target only applies to + TCP traffic and alters the MSS value in SYN packets. It may be + used in the FOWARD and POSTROUTING chains; the default is + FORWARD. + + The mss parameter may be + either or an integer in the range + 500:65533. The value automatically + clamps the MSS value to (path_MTU - 40 for IPv4; -60 for + IPv6). This may not function as desired where asymmetric + routes with differing path MTU exist — the kernel uses the + path MTU which it would use to send packets from itself to the + source and destination IP addresses. Prior to Linux 2.6.25, + only the path MTU to the destination IP address was considered + by this option; subsequent kernels also consider the path MTU + to the source IP address. If an integer is given, the MSS + option is set to the specified value. If the MSS of the packet + is already lower than mss, it will + not be increased (from Linux 2.6.25 onwards) to avoid more + problems with hosts relying on a proper MSS. If + mss is omitted, + is assumed. + + The ipsec parameter + determines whether the rule applies to IPSEC traffic + ( is passed), non-IPSEC traffic + ( is passed) or both + ( is passed). If omitted, + is assumed. + + + TOS(tos[/mask])