Add MSS field to ipsec file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-15 18:46:27 +00:00
parent d291bcd48a
commit 2caf2acd88
4 changed files with 37 additions and 7 deletions

View File

@ -108,3 +108,5 @@ Changes since 2.0.3
51) Allow setting a specify MSS value.
52) Detect duplicate zone names.
53) Add MSS column to the ipsec file.

View File

@ -1746,6 +1746,15 @@ setup_tunnels() # $1 = name of tunnels file
setup_ipsec() {
set_mss() # $1 = chain
{
eval local policy=\$${1}_policy
if [ "$policy" != NONE ]; then
ensurechain $1
run_iptables -A $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss
fi
}
do_options() # $1 = _in, _out or "" - $2 = option list
{
local option opts newoptions=
@ -1782,8 +1791,8 @@ setup_ipsec() {
strip_file ipsec $1
while read zone ipsec options in_options out_options; do
expandv zone ipsec options in_options out_options
while read zone ipsec options in_options out_options mss; do
expandv zone ipsec options in_options out_options mss
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
@ -1805,6 +1814,15 @@ setup_ipsec() {
do_options "_in" $in_options
do_options "_out" $out_options
if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then
for z in $zones; do
if [ $z != $zone ]; then
set_mss ${z}2${zone}
set_mss ${zone}2${z}
fi
done
fi
done < $TMP_DIR/ipsec
}
@ -5494,7 +5512,7 @@ initialize_netfilter () {
Yes)
option="--clamp-mss-to-pmtu"
;;
*)
*)
option="--set-mss $CLAMPMSS"
;;
esac
@ -6096,6 +6114,7 @@ activate_rules()
fi
}
#
# Add jumps to early SNAT chains
#

View File

@ -42,6 +42,9 @@
# Example:
# mode=transport,reqid=44
#
# MSS The value that Shorewall should set the MSS field in
# SYN packets to/from this zone.
#
# The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
@ -49,8 +52,8 @@
#
# If you wish to leave a column empty but need to make an entry
# in a following column, use "-".
################################################################################
#ZONE IPSEC OPTIONS IN OUT
###################################################################################
#ZONE IPSEC OPTIONS IN OUT MSS
# ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -300,7 +300,7 @@ New Features:
then you can designate the zone as an "ipsec" zone by placing
'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
#ZONE IPSEC OPTIONS
#ZONE IPSEC OPTIONS ...
# ONLY
vpn Yes
@ -415,10 +415,16 @@ New Features:
Examples:
#ZONE IPSEC OPTIONS IN OUT
#ZONE IPSEC OPTIONS IN OUT...
# ONLY OPTIONS OPTIONS
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
loc No reqid=44,mode=transport
The last column (MSS) in the /etc/shorewall/ipsec file is intended
to help compensate for the fact that there is no longer a
pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a
number in this column, Shorewall will generate rules to set the MSS
field in TCP SYN packets the the value of that field.
The /etc/shorewall/masq file has a new IPSEC column added. If you
specify Yes or yes in that column then the unencrypted packets will