extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow CLAMPMSS to set an explicit MSS value

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1679 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-13 00:42:26 +00:00
parent d64c7fd3e6
commit d60d81ca35
4 changed files with 37 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -104,3 +104,5 @@ Changes since 2.0.3
49) Correct logmartians handling. 49) Correct logmartians handling.
50) Add a clarification and fix a typo in the blacklist file. 50) Add a clarification and fix a typo in the blacklist file.
51) Allow setting a specify MSS value.

24
Shorewall2/firewall
View File

@ -5475,9 +5475,16 @@ initialize_netfilter () {
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done done
[ -n "$CLAMPMSS" ] && \ if [ -n "$CLAMPMSS" ]; then
run_iptables -A FORWARD -p tcp \ case $CLAMPMSS in
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu Yes)
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
;;
*)
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $CLAMPMSS
;;
esac
fi
if [ -z "$NEWNOTSYN" ]; then if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no createchain newnotsyn no
@ -6957,8 +6964,15 @@ do_initialize() {
fi fi
[ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP [ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS) case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES) ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER) ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS) LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)

8
Shorewall2/releasenotes.txt
View File

@ -551,3 +551,11 @@ New Features:
If you wish to globally enable martian logging, you can set If you wish to globally enable martian logging, you can set
MARTIAN_LOGGING=Yes in shorewall.conf. MARTIAN_LOGGING=Yes in shorewall.conf.
22) You may now cause Shorewall to use the '--set-mss' option of the
TCPMSS target. In other words, you can cause Shorewall to set the
MSS field of SYN packets passing through the firewall to the value
you specify.
Example:
CLAMPMSS=1400

8
Shorewall2/shorewall.conf
View File

@ -444,6 +444,14 @@ MARK_IN_FORWARD_CHAIN=No
# #
# If left blank, or set to "No" or "no", the option is not enabled. # If left blank, or set to "No" or "no", the option is not enabled.
# #
# You may also set this option to a numeric value in which case Shorewall will
# set up a rule that will modify the MSS value in SYN packets to the value that
# you specify.
#
# Example:
#
# CLAMPMSS=1400
#
CLAMPMSS=No CLAMPMSS=No
# #