mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-22 05:28:59 +01:00
Implement TCPMSS_TARGET capability
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
551be3ed39
commit
7442c2189d
@ -25,7 +25,7 @@
|
|||||||
# loaded after this one and replaces some of the functions declared here.
|
# loaded after this one and replaces some of the functions declared here.
|
||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_CAPVERSION=40606
|
SHOREWALL_CAPVERSION=40609
|
||||||
|
|
||||||
[ -n "${g_program:=shorewall}" ]
|
[ -n "${g_program:=shorewall}" ]
|
||||||
|
|
||||||
@ -2575,6 +2575,7 @@ determine_capabilities() {
|
|||||||
NEW_TOS_MATCH=
|
NEW_TOS_MATCH=
|
||||||
TARPIT_TARGET=
|
TARPIT_TARGET=
|
||||||
IFACE_MATCH=
|
IFACE_MATCH=
|
||||||
|
TCPMSS_TARGET=
|
||||||
|
|
||||||
AMANDA_HELPER=
|
AMANDA_HELPER=
|
||||||
FTP_HELPER=
|
FTP_HELPER=
|
||||||
@ -2732,6 +2733,8 @@ determine_capabilities() {
|
|||||||
|
|
||||||
qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
|
qt $g_tool -A $chain -m iface --iface lo --loopback && IFACE_MATCH=Yes
|
||||||
|
|
||||||
|
qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu && TCPMSS_TARGET=Yes
|
||||||
|
|
||||||
if [ -n "$MANGLE_ENABLED" ]; then
|
if [ -n "$MANGLE_ENABLED" ]; then
|
||||||
qt $g_tool -t mangle -N $chain
|
qt $g_tool -t mangle -N $chain
|
||||||
|
|
||||||
@ -3001,16 +3004,17 @@ report_capabilities_unsorted() {
|
|||||||
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
|
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
|
||||||
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
|
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
|
||||||
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
|
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
|
||||||
report_capability "Geo IP match" $GEOIP_MATCH
|
report_capability "Geo IP Match (GEOIP_MATCH)" $GEOIP_MATCH
|
||||||
report_capability "RPFilter match" $RPFILTER_MATCH
|
report_capability "RPFilter Match (RPFILTER_MATCH)" $RPFILTER_MATCH
|
||||||
report_capability "NFAcct match" $NFACCT_MATCH
|
report_capability "NFAcct Match" $NFACCT_MATCH
|
||||||
report_capability "Checksum Target" $CHECKSUM_TARGET
|
report_capability "Checksum Target (CHECKSUM_TARGET)" $CHECKSUM_TARGET
|
||||||
report_capability "Arptables JF" $ARPTABLESJF
|
report_capability "Arptables JF (ARPTABLESJF)" $ARPTABLESJF
|
||||||
report_capability "MASQUERADE Target" $MASQUERADE_TGT
|
report_capability "MASQUERADE Target (MASQUERADE_TGT)" $MASQUERADE_TGT
|
||||||
report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
|
report_capability "UDPLITE Port Redirection (UDPLITEREDIRECT)" $UDPLITEREDIRECT
|
||||||
report_capability "New tos Match" $NEW_TOS_MATCH
|
report_capability "New tos Match (NEW_TOS_MATCH)" $NEW_TOS_MATCH
|
||||||
report_capability "TARPIT Target" $TARPIT_TARGET
|
report_capability "TARPIT Target (TARPIT_TARGET)" $TARPIT_TARGET
|
||||||
report_capability "Iface Match" $IFACE_MATCH
|
report_capability "Iface Match (IFACE_MATCH)" $IFACE_MATCH
|
||||||
|
report_capability "TCPMSS Target (TCPMSS_TARGET)" $TCPMSS_TARGET
|
||||||
|
|
||||||
report_capability "Amanda Helper" $AMANDA_HELPER
|
report_capability "Amanda Helper" $AMANDA_HELPER
|
||||||
report_capability "FTP Helper" $FTP_HELPER
|
report_capability "FTP Helper" $FTP_HELPER
|
||||||
@ -3140,6 +3144,7 @@ report_capabilities_unsorted1() {
|
|||||||
report_capability1 NEW_TOS_MATCH
|
report_capability1 NEW_TOS_MATCH
|
||||||
report_capability1 TARPIT_TARGET
|
report_capability1 TARPIT_TARGET
|
||||||
report_capability1 IFACE_MATCH
|
report_capability1 IFACE_MATCH
|
||||||
|
report_capability1 TCPMSS_TARGET
|
||||||
|
|
||||||
report_capability1 AMANDA_HELPER
|
report_capability1 AMANDA_HELPER
|
||||||
report_capability1 FTP_HELPER
|
report_capability1 FTP_HELPER
|
||||||
|
|||||||
@ -396,6 +396,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
NEW_TOS_MATCH => 'New tos Match',
|
NEW_TOS_MATCH => 'New tos Match',
|
||||||
TARPIT_TARGET => 'TARPIT Target',
|
TARPIT_TARGET => 'TARPIT Target',
|
||||||
IFACE_MATCH => 'Iface Match',
|
IFACE_MATCH => 'Iface Match',
|
||||||
|
TCPMSS_TARGET => 'TCPMSS Target',
|
||||||
|
|
||||||
AMANDA_HELPER => 'Amanda Helper',
|
AMANDA_HELPER => 'Amanda Helper',
|
||||||
FTP_HELPER => 'FTP Helper',
|
FTP_HELPER => 'FTP Helper',
|
||||||
@ -714,7 +715,7 @@ sub initialize( $;$$) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
KLUDGEFREE => '',
|
KLUDGEFREE => '',
|
||||||
VERSION => "4.5.19-Beta1",
|
VERSION => "4.5.19-Beta1",
|
||||||
CAPVERSION => 40606 ,
|
CAPVERSION => 40609 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# From shorewall.conf file
|
# From shorewall.conf file
|
||||||
@ -983,6 +984,7 @@ sub initialize( $;$$) {
|
|||||||
REAP_OPTION => undef,
|
REAP_OPTION => undef,
|
||||||
TARPIT_TARGET => undef,
|
TARPIT_TARGET => undef,
|
||||||
IFACE_MATCH => undef,
|
IFACE_MATCH => undef,
|
||||||
|
TCPMSS_TARGET => undef,
|
||||||
|
|
||||||
AMANDA_HELPER => undef,
|
AMANDA_HELPER => undef,
|
||||||
FTP_HELPER => undef,
|
FTP_HELPER => undef,
|
||||||
@ -4468,7 +4470,9 @@ sub Iface_Match() {
|
|||||||
qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
|
qt1( "$iptables $iptablesw -A $sillyname -m iface --iface lo --loopback" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Tcpmss_Target() {
|
||||||
|
qt1( "$iptables $iptablesw -A $sillyname -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" );
|
||||||
|
}
|
||||||
|
|
||||||
our %detect_capability =
|
our %detect_capability =
|
||||||
( ACCOUNT_TARGET =>\&Account_Target,
|
( ACCOUNT_TARGET =>\&Account_Target,
|
||||||
@ -4557,6 +4561,7 @@ our %detect_capability =
|
|||||||
STATISTIC_MATCH => \&Statistic_Match,
|
STATISTIC_MATCH => \&Statistic_Match,
|
||||||
TARPIT_TARGET => \&Tarpit_Target,
|
TARPIT_TARGET => \&Tarpit_Target,
|
||||||
TCPMSS_MATCH => \&Tcpmss_Match,
|
TCPMSS_MATCH => \&Tcpmss_Match,
|
||||||
|
TCPMSS_TARGET => \&Tcpmss_Target,
|
||||||
TFTP_HELPER => \&TFTP_Helper,
|
TFTP_HELPER => \&TFTP_Helper,
|
||||||
TFTP0_HELPER => \&TFTP0_Helper,
|
TFTP0_HELPER => \&TFTP0_Helper,
|
||||||
TIME_MATCH => \&Time_Match,
|
TIME_MATCH => \&Time_Match,
|
||||||
@ -4710,6 +4715,7 @@ sub determine_capabilities() {
|
|||||||
$capabilities{NEW_TOS_MATCH} = detect_capability( 'NEW_TOS_MATCH' );
|
$capabilities{NEW_TOS_MATCH} = detect_capability( 'NEW_TOS_MATCH' );
|
||||||
$capabilities{TARPIT_TARGET} = detect_capability( 'TARPIT_TARGET' );
|
$capabilities{TARPIT_TARGET} = detect_capability( 'TARPIT_TARGET' );
|
||||||
$capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' );
|
$capabilities{IFACE_MATCH} = detect_capability( 'IFACE_MATCH' );
|
||||||
|
$capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' );
|
||||||
|
|
||||||
unless ( have_capability 'CT_TARGET' ) {
|
unless ( have_capability 'CT_TARGET' ) {
|
||||||
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
|
$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
|
||||||
@ -5608,8 +5614,9 @@ sub get_configuration( $$$$$ ) {
|
|||||||
default_yes_no 'DETECT_DNAT_IPADDRS' , '';
|
default_yes_no 'DETECT_DNAT_IPADDRS' , '';
|
||||||
default_yes_no 'CLEAR_TC' , $family == F_IPV4 ? 'Yes' : '';
|
default_yes_no 'CLEAR_TC' , $family == F_IPV4 ? 'Yes' : '';
|
||||||
|
|
||||||
if ( supplied $config{CLAMPMSS} ) {
|
if ( supplied( $val = $config{CLAMPMSS} ) ) {
|
||||||
default_yes_no 'CLAMPMSS' , '' unless $config{CLAMPMSS} =~ /^\d+$/;
|
default_yes_no 'CLAMPMSS' , '' unless $val =~ /^\d+$/;
|
||||||
|
require_capability 'TCPMSS_TARGET', "CLAMPMSS=$val", 's' if $config{CLAMPMSS};
|
||||||
} else {
|
} else {
|
||||||
$config{CLAMPMSS} = '';
|
$config{CLAMPMSS} = '';
|
||||||
}
|
}
|
||||||
|
|||||||
@ -465,6 +465,7 @@ sub parse_zone_option_list($$\$$)
|
|||||||
} else {
|
} else {
|
||||||
fatal_error "Missing value for option \"$e\"" unless defined $val;
|
fatal_error "Missing value for option \"$e\"" unless defined $val;
|
||||||
fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
|
fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
|
||||||
|
require_capability 'TCPMSS_TARGET', "mss=$val", 's' if $e eq 'mss';
|
||||||
}
|
}
|
||||||
|
|
||||||
my $key = $zonekey{$e};
|
my $key = $zonekey{$e};
|
||||||
@ -1258,6 +1259,7 @@ sub process_interface( $$ ) {
|
|||||||
fatal_error "The '$option' option requires a value" unless defined $value;
|
fatal_error "The '$option' option requires a value" unless defined $value;
|
||||||
my $numval = numeric_value $value;
|
my $numval = numeric_value $value;
|
||||||
fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
|
fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
|
||||||
|
require_capability 'TCPMSS_TARGET', "mss=$value", 's' if $option eq 'mss';
|
||||||
$options{$option} = $numval;
|
$options{$option} = $numval;
|
||||||
$hostoptions{$option} = $numval if $hostopt;
|
$hostoptions{$option} = $numval if $hostopt;
|
||||||
} elsif ( $type == IPLIST_IF_OPTION ) {
|
} elsif ( $type == IPLIST_IF_OPTION ) {
|
||||||
@ -2067,6 +2069,7 @@ sub process_host( ) {
|
|||||||
$zoneref->{options}{in}{blacklist} = 1;
|
$zoneref->{options}{in}{blacklist} = 1;
|
||||||
} elsif ( $option =~ /^mss=(\d+)$/ ) {
|
} elsif ( $option =~ /^mss=(\d+)$/ ) {
|
||||||
fatal_error "Invalid mss ($1)" unless $1 >= 500;
|
fatal_error "Invalid mss ($1)" unless $1 >= 500;
|
||||||
|
require_capability 'TCPMSS_TARGET', $option, 's';
|
||||||
$options{mss} = $1;
|
$options{mss} = $1;
|
||||||
$zoneref->{options}{complex} = 1;
|
$zoneref->{options}{complex} = 1;
|
||||||
} elsif ( $validhostoptions{$option}) {
|
} elsif ( $validhostoptions{$option}) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user