Add MSS field to ipsec file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -108,3 +108,5 @@ Changes since 2.0.3
 51) Allow setting a specify MSS value.
 
 52) Detect duplicate zone names.
+
+53) Add MSS column to the ipsec file.

Shorewall2/firewall

@@ -1746,6 +1746,15 @@ setup_tunnels() # $1 = name of tunnels file
 
 setup_ipsec() {
 
+    set_mss() # $1 = chain
+    {
+	eval local policy=\$${1}_policy
+	if [ "$policy" != NONE ]; then
+	    ensurechain $1
+	    run_iptables -A $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss
+	fi
+    }
+
     do_options() # $1 = _in, _out or "" - $2 = option list
     {
 	local option opts newoptions=
@@ -1782,8 +1791,8 @@ setup_ipsec() {
 
     strip_file ipsec $1
     
-    while read zone ipsec options in_options out_options; do
-	expandv zone ipsec options in_options out_options
+    while read zone ipsec options in_options out_options mss; do
+	expandv zone ipsec options in_options out_options mss
 
 	[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
 
@@ -1805,6 +1814,15 @@ setup_ipsec() {
 	do_options "_in"  $in_options
 	do_options "_out" $out_options
 
+	if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then
+	    for z in $zones; do
+		if [ $z != $zone ]; then
+		    set_mss ${z}2${zone}
+		    set_mss ${zone}2${z}
+		fi
+	    done
+	fi		
+	    
     done < $TMP_DIR/ipsec
 }	
 
@@ -5494,7 +5512,7 @@ initialize_netfilter () {
 	    Yes)
 		option="--clamp-mss-to-pmtu"
 		;;
-	    *)
+          	    *)
 		option="--set-mss $CLAMPMSS"
 		;;
 	esac
@@ -6096,6 +6114,7 @@ activate_rules()
 
 	fi
     }
+
     #
     # Add jumps to early SNAT chains
     #

Shorewall2/ipsec

@@ -42,6 +42,9 @@
 #			Example:
 #				mode=transport,reqid=44
 #
+#		MSS	The value that Shorewall should set the MSS field in 
+#			SYN packets to/from this zone.
+#
 #		The options in the OPTIONS column are applied to both incoming
 #		and outgoing traffic. The IN OPTIONS are applied to incoming
 #		traffic (in addition to OPTIONS) and the OUT OPTIONS are 
@@ -49,8 +52,8 @@
 #
 #		If you wish to leave a column empty but need to make an entry
 #		in a following column, use "-".
-################################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT
+###################################################################################
+#ZONE	IPSEC	OPTIONS			IN			OUT		MSS
 #	ONLY				OPTIONS			OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
 

Shorewall2/releasenotes.txt

@@ -300,7 +300,7 @@ New Features:
     then you can designate the zone as an "ipsec" zone by placing
     'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
 
-	#ZONE		IPSEC	OPTIONS
+	#ZONE		IPSEC	OPTIONS ...
 	#		ONLY
 	vpn		Yes
 
@@ -415,10 +415,16 @@ New Features:
 
     Examples:
 
-	#ZONE	IPSEC	OPTIONS			IN		OUT
+	#ZONE	IPSEC	OPTIONS			IN		OUT...
 	#	ONLY				OPTIONS		OPTIONS
 	vpn	Yes	mode=tunnel,proto=esp	spi=1000	spi=1001
 	loc	No	reqid=44,mode=transport
+
+    The last column (MSS) in the /etc/shorewall/ipsec file is intended
+    to help compensate for the fact that there is no longer a
+    pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a
+    number in this column, Shorewall will generate rules to set the MSS
+    field in TCP SYN packets the the value of that field.
  
     The /etc/shorewall/masq file has a new IPSEC column added. If you
     specify Yes or yes in that column then the unencrypted packets will