mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
Add MSS field to ipsec file
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d291bcd48a
commit
2caf2acd88
@ -108,3 +108,5 @@ Changes since 2.0.3
|
||||
51) Allow setting a specify MSS value.
|
||||
|
||||
52) Detect duplicate zone names.
|
||||
|
||||
53) Add MSS column to the ipsec file.
|
||||
|
@ -1746,6 +1746,15 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_ipsec() {
|
||||
|
||||
set_mss() # $1 = chain
|
||||
{
|
||||
eval local policy=\$${1}_policy
|
||||
if [ "$policy" != NONE ]; then
|
||||
ensurechain $1
|
||||
run_iptables -A $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss
|
||||
fi
|
||||
}
|
||||
|
||||
do_options() # $1 = _in, _out or "" - $2 = option list
|
||||
{
|
||||
local option opts newoptions=
|
||||
@ -1782,8 +1791,8 @@ setup_ipsec() {
|
||||
|
||||
strip_file ipsec $1
|
||||
|
||||
while read zone ipsec options in_options out_options; do
|
||||
expandv zone ipsec options in_options out_options
|
||||
while read zone ipsec options in_options out_options mss; do
|
||||
expandv zone ipsec options in_options out_options mss
|
||||
|
||||
[ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match"
|
||||
|
||||
@ -1805,6 +1814,15 @@ setup_ipsec() {
|
||||
do_options "_in" $in_options
|
||||
do_options "_out" $out_options
|
||||
|
||||
if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then
|
||||
for z in $zones; do
|
||||
if [ $z != $zone ]; then
|
||||
set_mss ${z}2${zone}
|
||||
set_mss ${zone}2${z}
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/ipsec
|
||||
}
|
||||
|
||||
@ -5494,7 +5512,7 @@ initialize_netfilter () {
|
||||
Yes)
|
||||
option="--clamp-mss-to-pmtu"
|
||||
;;
|
||||
*)
|
||||
*)
|
||||
option="--set-mss $CLAMPMSS"
|
||||
;;
|
||||
esac
|
||||
@ -6096,6 +6114,7 @@ activate_rules()
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
#
|
||||
# Add jumps to early SNAT chains
|
||||
#
|
||||
|
@ -42,6 +42,9 @@
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
#
|
||||
# MSS The value that Shorewall should set the MSS field in
|
||||
# SYN packets to/from this zone.
|
||||
#
|
||||
# The options in the OPTIONS column are applied to both incoming
|
||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||
@ -49,8 +52,8 @@
|
||||
#
|
||||
# If you wish to leave a column empty but need to make an entry
|
||||
# in a following column, use "-".
|
||||
################################################################################
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
###################################################################################
|
||||
#ZONE IPSEC OPTIONS IN OUT MSS
|
||||
# ONLY OPTIONS OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
@ -300,7 +300,7 @@ New Features:
|
||||
then you can designate the zone as an "ipsec" zone by placing
|
||||
'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec:
|
||||
|
||||
#ZONE IPSEC OPTIONS
|
||||
#ZONE IPSEC OPTIONS ...
|
||||
# ONLY
|
||||
vpn Yes
|
||||
|
||||
@ -415,10 +415,16 @@ New Features:
|
||||
|
||||
Examples:
|
||||
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
#ZONE IPSEC OPTIONS IN OUT...
|
||||
# ONLY OPTIONS OPTIONS
|
||||
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
|
||||
loc No reqid=44,mode=transport
|
||||
|
||||
The last column (MSS) in the /etc/shorewall/ipsec file is intended
|
||||
to help compensate for the fact that there is no longer a
|
||||
pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a
|
||||
number in this column, Shorewall will generate rules to set the MSS
|
||||
field in TCP SYN packets the the value of that field.
|
||||
|
||||
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||
specify Yes or yes in that column then the unencrypted packets will
|
||||
|
Loading…
Reference in New Issue
Block a user