diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 6567fc80c..6b6634bd4 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2125,10 +2125,12 @@ sub setup_mss( ) { for ( @$interfaces ) { my $mss = get_interface_option( $_, 'mss' ); my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; - add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; - add_rule $chainref, "-o $_ -j RETURN" if $clampmss; - add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss"; - add_rule $chainref, "-i $_ -j RETURN" if $clampmss; + my $source = match_source_dev $_; + my $dest = match_dest_dev $_; + add_rule $chainref, "$dest -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; + add_rule $chainref, "$dest -j RETURN" if $clampmss; + add_rule $chainref, "$source -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss"; + add_rule $chainref, "$source -j RETURN" if $clampmss; } } diff --git a/docs/configuration_file_basics.xml b/docs/configuration_file_basics.xml index 2f94827b3..371b8a64d 100644 --- a/docs/configuration_file_basics.xml +++ b/docs/configuration_file_basics.xml @@ -1028,6 +1028,79 @@ Shorewall has detected the following iptables/netfilter capabilities: "!tcp"). +
+ ICMP and ICMP6 Types and Codes + + When dealing with ICMP, the DEST PORT specifies the type or type and + code. You may specify the numeric type, the numeric type and code + separated by a slash (e.g., 3/4) or you may use a type name. + + Type names for IPv4 and their corresponding type or type/code + are: + + echo-reply' => 0 +destination-unreachable => 3 + network-unreachable => 3/0 + host-unreachable => 3/1 +protocol-unreachable => 3/2 +port-unreachable => 3/3 +fragmentation-needed => 3/4 +source-route-failed => 3/5 +network-unknown => 3/6 +host-unknown => 3/7 +network-prohibited => 3/9 +host-prohibited => 3/10 +TOS-network-unreachable => 3/11 +TOS-host-unreachable => 3/12 +communication-prohibited => 3/13 +host-precedence-violation => 3/14 +precedence-cutoff => 3/15 +source-quench => 4 +redirect => 5 + network-redirect => 5/0 + host-redirect => 5/1 + TOS-network-redirect => 5/2 + TOS-host-redirect => 5/3 +echo-request => 8 +router-advertisement => 9 +router-solicitation => 10 +time-exceeded => 11 + ttl-zero-during-transit => 11/0 + ttl-zero-during-reassembly=> 11/1 +parameter-problem => 12 + ip-header-bad => 12/0 + required-option-missing => 12/1 +timestamp-request => 13 +timestamp-reply => 14 +address-mask-request => 17 +address-mask-reply => 18 + + Type names for IPv6 and their corresponding type or type/code + are: + + destination-unreachable => 1 + no-route' => 1/0 + communication-prohibited => 1/1 + address-unreachable' => 1/2 + port-unreachable' => 1/3 +packet-too-big => 2 +time-exceeded' => 3 +ttl-exceeded' => 3 + ttl-zero-during-transit => 3/0 + ttl-zero-during-reassembly => 3/1 +parameter-problem => 4 + bad-header => 4/0 + unknown-header-type => 4/1 + unknown-option => 4/2 +echo-request => 128 +echo-reply => 129 +router-solicitation => 133 +router-advertisement => 134 +neighbour-solicitation => 135 +neighbour-advertisement => 136 +redirect => 137 +
+
Port Ranges