Reimplement IPSEC MSS setting

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1695 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-24 16:43:21 +01:00 · 2004-10-15 20:00:48 +00:00 · 2004-10-15 20:00:48 +00:00 · 63dc4470ca
commit 63dc4470ca
parent 86b24f688e
4 changed files with 33 additions and 25 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -109,4 +109,4 @@ Changes since 2.0.3

 52) Detect duplicate zone names.

-53) Add MSS column to the ipsec file.
+53) Add mss=<number> option to the ipsec file.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -1746,12 +1746,32 @@ setup_tunnels() # $1 = name of tunnels file

 setup_ipsec() {

-    set_mss() # $1 = chain
+    set_mss1() # $1 = chain, $2 = MSS
    {
 	eval local policy=\$${1}_policy
 	if [ "$policy" != NONE ]; then
 	    ensurechain $1
-	    run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss
+	    run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
+	fi
+    }
+
+    set_mss() # $1 = MSS value, $2 = _in, _out or ""
+    {
+	if [ $COMMAND != check ]; then
+	    for z in $zones; do
+		case $2 in
+		    _in)
+			set_mss1 ${z}2${zone} $1
+			;;
+		    _out)			
+			set_mss1 ${zone}2${z} $1
+			;;
+		    *)
+			set_mss1 ${z}2${zone} $1
+			set_mss1 ${zone}2${z} $1
+			;;
+		esac
+	    done
 	fi
    }

@ -1779,6 +1799,7 @@ setup_ipsec() {
 		mode!=*)       newoptions="$newoptions ! --mode ${option#*=}" ;;
 		tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
 		tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
+		mss=[0-9]*)    set_mss ${option#*=} $1 ;;					   
 		*)             fatal_error "Invalid option \"$option\" for zone $zone" ;;
 	    esac
 	done
@ -1813,15 +1834,6 @@ setup_ipsec() {
 	do_options ""     $options
 	do_options "_in"  $in_options
 	do_options "_out" $out_options
-
-	if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then
-	    for z in $zones; do
-		if [ $z != $zone ]; then
-		    set_mss ${z}2${zone}
-		    set_mss ${zone}2${z}
-		fi
-	    done
-	fi		
 	    
    done < $TMP_DIR/ipsec
 }	
--- a/Shorewall2/ipsec
+++ b/Shorewall2/ipsec
@ -24,7 +24,9 @@
 #				spi=<number> where <number> is the SPI of
 #				the SA used to encrypt/decrypt packets.
 #
-#				proto=ah|esp|ipcomp 
+#				proto=ah|esp|ipcomp
+#
+#				mss=<number> (sets the MSS field in TCP packets) 
 #
 #				mode=transport|tunnel
 #
@ -42,9 +44,6 @@
 #			Example:
 #				mode=transport,reqid=44
 #
-#		MSS	The value that Shorewall should set the MSS field in 
-#			SYN packets to/from this zone.
-#
 #		The options in the OPTIONS column are applied to both incoming
 #		and outgoing traffic. The IN OPTIONS are applied to incoming
 #		traffic (in addition to OPTIONS) and the OUT OPTIONS are 
@ -53,7 +52,7 @@
 #		If you wish to leave a column empty but need to make an entry
 #		in a following column, use "-".
 ###################################################################################
-#ZONE	IPSEC	OPTIONS			IN			OUT		MSS
+#ZONE	IPSEC	OPTIONS			IN			OUT
 #	ONLY				OPTIONS			OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -383,7 +383,7 @@ New Features:
    entry.

    The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
-    input-output, input and output characteristing of the security
+    input-output, input and output characteristics of the security
    policies to be used to decrypt (input) or encrypt (output) traffic
    to/from the zone.

@ -397,7 +397,10 @@ New Features:
 	 option should only be listed in the IN OPTIONS and OUT OPTIONS
 	 columns.

-	 proto[!]=ah|esp|ipcomp 
+	 proto[!]=ah|esp|ipcomp
+
+	 mss=<number> (sets the MSS value in TCP SYN packets and is not
+                       related to policy matching) 

 	 mode[!]=transport|tunnel

@ -420,12 +423,6 @@ New Features:
 	vpn	Yes	mode=tunnel,proto=esp	spi=1000	spi=1001
 	loc	No	reqid=44,mode=transport

-    The last column (MSS) in the /etc/shorewall/ipsec file is intended
-    to help compensate for the fact that there is no longer a
-    pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a
-    number in this column, Shorewall will generate rules to set the MSS
-    field in TCP SYN packets the the value of that field.
- 
    The /etc/shorewall/masq file has a new IPSEC column added. If you
    specify Yes or yes in that column then the unencrypted packets will
    have their source address changed. Otherwise, the unencrypted