From 2caf2acd88d9f02e5fa743ae1bc84de1d2dc601b Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 15 Oct 2004 18:46:27 +0000 Subject: [PATCH] Add MSS field to ipsec file git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1693 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 25 ++++++++++++++++++++++--- Shorewall2/ipsec | 7 +++++-- Shorewall2/releasenotes.txt | 10 ++++++++-- 4 files changed, 37 insertions(+), 7 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 2d2fc6db4..614c98fdf 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -108,3 +108,5 @@ Changes since 2.0.3 51) Allow setting a specify MSS value. 52) Detect duplicate zone names. + +53) Add MSS column to the ipsec file. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index 3465a03d6..4bb5f76d7 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1746,6 +1746,15 @@ setup_tunnels() # $1 = name of tunnels file setup_ipsec() { + set_mss() # $1 = chain + { + eval local policy=\$${1}_policy + if [ "$policy" != NONE ]; then + ensurechain $1 + run_iptables -A $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss + fi + } + do_options() # $1 = _in, _out or "" - $2 = option list { local option opts newoptions= @@ -1782,8 +1791,8 @@ setup_ipsec() { strip_file ipsec $1 - while read zone ipsec options in_options out_options; do - expandv zone ipsec options in_options out_options + while read zone ipsec options in_options out_options mss; do + expandv zone ipsec options in_options out_options mss [ -n "$POLICY_MATCH" ] || fatal_error "Your kernel and/or iptables does not support policy match" @@ -1805,6 +1814,15 @@ setup_ipsec() { do_options "_in" $in_options do_options "_out" $out_options + if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then + for z in $zones; do + if [ $z != $zone ]; then + set_mss ${z}2${zone} + set_mss ${zone}2${z} + fi + done + fi + done < $TMP_DIR/ipsec } @@ -5494,7 +5512,7 @@ initialize_netfilter () { Yes) option="--clamp-mss-to-pmtu" ;; - *) + *) option="--set-mss $CLAMPMSS" ;; esac @@ -6096,6 +6114,7 @@ activate_rules() fi } + # # Add jumps to early SNAT chains # diff --git a/Shorewall2/ipsec b/Shorewall2/ipsec index 5474ad718..ab8704e20 100644 --- a/Shorewall2/ipsec +++ b/Shorewall2/ipsec @@ -42,6 +42,9 @@ # Example: # mode=transport,reqid=44 # +# MSS The value that Shorewall should set the MSS field in +# SYN packets to/from this zone. +# # The options in the OPTIONS column are applied to both incoming # and outgoing traffic. The IN OPTIONS are applied to incoming # traffic (in addition to OPTIONS) and the OUT OPTIONS are @@ -49,8 +52,8 @@ # # If you wish to leave a column empty but need to make an entry # in a following column, use "-". -################################################################################ -#ZONE IPSEC OPTIONS IN OUT +################################################################################### +#ZONE IPSEC OPTIONS IN OUT MSS # ONLY OPTIONS OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index 2d0cb02a6..b2862af81 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -300,7 +300,7 @@ New Features: then you can designate the zone as an "ipsec" zone by placing 'Yes" in the IPSEC ONLY column in the /etc/shorewall/ipsec: - #ZONE IPSEC OPTIONS + #ZONE IPSEC OPTIONS ... # ONLY vpn Yes @@ -415,10 +415,16 @@ New Features: Examples: - #ZONE IPSEC OPTIONS IN OUT + #ZONE IPSEC OPTIONS IN OUT... # ONLY OPTIONS OPTIONS vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001 loc No reqid=44,mode=transport + + The last column (MSS) in the /etc/shorewall/ipsec file is intended + to help compensate for the fact that there is no longer a + pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a + number in this column, Shorewall will generate rules to set the MSS + field in TCP SYN packets the the value of that field. The /etc/shorewall/masq file has a new IPSEC column added. If you specify Yes or yes in that column then the unencrypted packets will