From 7442c2189d51f6aa945208f5c1f984ce11a9b62e Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Tue, 31 Mar 2015 15:53:05 -0700
Subject: [PATCH] Implement TCPMSS_TARGET capability

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall-core/lib.cli             | 27 ++++++++++++++++-----------
 Shorewall/Perl/Shorewall/Config.pm | 15 +++++++++++----
 Shorewall/Perl/Shorewall/Zones.pm  |  3 +++
 3 files changed, 30 insertions(+), 15 deletions(-)

diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 46e1368a6..c736bc6e0 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=40606
+SHOREWALL_CAPVERSION=40609
 
 [ -n "${g_program:=shorewall}" ]
 
@@ -2575,6 +2575,7 @@ determine_capabilities() {
     NEW_TOS_MATCH=
     TARPIT_TARGET=
     IFACE_MATCH=
+    TCPMSS_TARGET=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -2732,6 +2733,8 @@ determine_capabilities() {
 
     qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
 
+    qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes
+
     if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
 
@@ -3001,16 +3004,17 @@ report_capabilities_unsorted() {
     report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
     report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
     report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-    report_capability "Geo IP match" $GEOIP_MATCH
-    report_capability "RPFilter match" $RPFILTER_MATCH
-    report_capability "NFAcct match" $NFACCT_MATCH
-    report_capability "Checksum Target" $CHECKSUM_TARGET
-    report_capability "Arptables JF" $ARPTABLESJF
-    report_capability "MASQUERADE Target" $MASQUERADE_TGT
-    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
-    report_capability "New tos Match" $NEW_TOS_MATCH
-    report_capability "TARPIT Target" $TARPIT_TARGET
-    report_capability "Iface Match" $IFACE_MATCH
+    report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
+    report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
+    report_capability "NFAcct Match" $NFACCT_MATCH
+    report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
+    report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
+    report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
+    report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
+    report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
+    report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
+    report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
+    report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET
 
     report_capability "Amanda Helper" $AMANDA_HELPER
     report_capability "FTP Helper" $FTP_HELPER
@@ -3140,6 +3144,7 @@ report_capabilities_unsorted1() {
     report_capability1 NEW_TOS_MATCH
     report_capability1 TARPIT_TARGET
     report_capability1 IFACE_MATCH
+    report_capability1 TCPMSS_TARGET
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 14a0b2a03..2adfc6749 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -396,6 +396,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 NEW_TOS_MATCH   => 'New tos Match',
 		 TARPIT_TARGET   => 'TARPIT Target',
 		 IFACE_MATCH     => 'Iface Match',
+                 TCPMSS_TARGET   => 'TCPMSS Target',
 
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
@@ -714,7 +715,7 @@ sub initialize( $;$$) {
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
 		    VERSION                 => "4.5.19-Beta1",
-		    CAPVERSION              => 40606 ,
+		    CAPVERSION              => 40609 ,
 		  );
     #
     # From shorewall.conf file
@@ -983,6 +984,7 @@ sub initialize( $;$$) {
 	       REAP_OPTION => undef,
 	       TARPIT_TARGET => undef,
 	       IFACE_MATCH => undef,
+	       TCPMSS_TARGET => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -4468,7 +4470,9 @@ sub Iface_Match() {
     qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
 }
 
-
+sub Tcpmss_Target() {
+    qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
+}
 
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
@@ -4557,6 +4561,7 @@ our %detect_capability =
       STATISTIC_MATCH => \&Statistic_Match,
       TARPIT_TARGET => \&Tarpit_Target,
       TCPMSS_MATCH => \&Tcpmss_Match,
+      TCPMSS_TARGET => \&Tcpmss_Target,
       TFTP_HELPER => \&TFTP_Helper,
       TFTP0_HELPER => \&TFTP0_Helper,
       TIME_MATCH => \&Time_Match,
@@ -4710,6 +4715,7 @@ sub determine_capabilities() {
 	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
 	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
 	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
+	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
 
 	unless ( have_capability 'CT_TARGET' ) {
 	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
@@ -5608,8 +5614,9 @@ sub get_configuration( $$$$$ ) {
     default_yes_no 'DETECT_DNAT_IPADDRS'        , '';
     default_yes_no 'CLEAR_TC'                   , $family == F_IPV4 ? 'Yes' : '';
 
-    if ( supplied $config{CLAMPMSS} ) {
-	default_yes_no 'CLAMPMSS'                   , '' unless $config{CLAMPMSS} =~ /^\d+$/;
+    if ( supplied( $val = $config{CLAMPMSS} ) ) {
+	default_yes_no 'CLAMPMSS'                   , '' unless $val =~ /^\d+$/;
+	require_capability 'TCPMSS_TARGET', "CLAMPMSS=$val", 's' if $config{CLAMPMSS}; 
     } else {
 	$config{CLAMPMSS} = '';
     }
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index c0a10e66f..db15a4458 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -465,6 +465,7 @@ sub parse_zone_option_list($$\$$)
 	    } else {
 		fatal_error "Missing value for option \"$e\""        unless defined $val;
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
+		require_capability 'TCPMSS_TARGET', "mss=$val", 's' if $e eq 'mss';
 	    }
 
 	    my $key = $zonekey{$e};
@@ -1258,6 +1259,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
+		require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
@@ -2067,6 +2069,7 @@ sub process_host( ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
+		require_capability 'TCPMSS_TARGET', $option, 's';
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {