diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 614c98fdf..38bd4ed6c 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -109,4 +109,4 @@ Changes since 2.0.3 52) Detect duplicate zone names. -53) Add MSS column to the ipsec file. +53) Add mss= option to the ipsec file. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index db30801cc..b9538d070 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -1746,12 +1746,32 @@ setup_tunnels() # $1 = name of tunnels file setup_ipsec() { - set_mss() # $1 = chain + set_mss1() # $1 = chain, $2 = MSS { eval local policy=\$${1}_policy if [ "$policy" != NONE ]; then ensurechain $1 - run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss + run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2 + fi + } + + set_mss() # $1 = MSS value, $2 = _in, _out or "" + { + if [ $COMMAND != check ]; then + for z in $zones; do + case $2 in + _in) + set_mss1 ${z}2${zone} $1 + ;; + _out) + set_mss1 ${zone}2${z} $1 + ;; + *) + set_mss1 ${z}2${zone} $1 + set_mss1 ${zone}2${z} $1 + ;; + esac + done fi } @@ -1779,6 +1799,7 @@ setup_ipsec() { mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;; tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;; tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;; + mss=[0-9]*) set_mss ${option#*=} $1 ;; *) fatal_error "Invalid option \"$option\" for zone $zone" ;; esac done @@ -1813,15 +1834,6 @@ setup_ipsec() { do_options "" $options do_options "_in" $in_options do_options "_out" $out_options - - if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then - for z in $zones; do - if [ $z != $zone ]; then - set_mss ${z}2${zone} - set_mss ${zone}2${z} - fi - done - fi done < $TMP_DIR/ipsec } diff --git a/Shorewall2/ipsec b/Shorewall2/ipsec index ab8704e20..d3b352a3f 100644 --- a/Shorewall2/ipsec +++ b/Shorewall2/ipsec @@ -24,7 +24,9 @@ # spi= where is the SPI of # the SA used to encrypt/decrypt packets. # -# proto=ah|esp|ipcomp +# proto=ah|esp|ipcomp +# +# mss= (sets the MSS field in TCP packets) # # mode=transport|tunnel # @@ -42,9 +44,6 @@ # Example: # mode=transport,reqid=44 # -# MSS The value that Shorewall should set the MSS field in -# SYN packets to/from this zone. -# # The options in the OPTIONS column are applied to both incoming # and outgoing traffic. The IN OPTIONS are applied to incoming # traffic (in addition to OPTIONS) and the OUT OPTIONS are @@ -53,7 +52,7 @@ # If you wish to leave a column empty but need to make an entry # in a following column, use "-". ################################################################################### -#ZONE IPSEC OPTIONS IN OUT MSS +#ZONE IPSEC OPTIONS IN OUT # ONLY OPTIONS OPTIONS #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt index b2862af81..379effad1 100755 --- a/Shorewall2/releasenotes.txt +++ b/Shorewall2/releasenotes.txt @@ -383,7 +383,7 @@ New Features: entry. The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the - input-output, input and output characteristing of the security + input-output, input and output characteristics of the security policies to be used to decrypt (input) or encrypt (output) traffic to/from the zone. @@ -397,7 +397,10 @@ New Features: option should only be listed in the IN OPTIONS and OUT OPTIONS columns. - proto[!]=ah|esp|ipcomp + proto[!]=ah|esp|ipcomp + + mss= (sets the MSS value in TCP SYN packets and is not + related to policy matching) mode[!]=transport|tunnel @@ -420,12 +423,6 @@ New Features: vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001 loc No reqid=44,mode=transport - The last column (MSS) in the /etc/shorewall/ipsec file is intended - to help compensate for the fact that there is no longer a - pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a - number in this column, Shorewall will generate rules to set the MSS - field in TCP SYN packets the the value of that field. - The /etc/shorewall/masq file has a new IPSEC column added. If you specify Yes or yes in that column then the unencrypted packets will have their source address changed. Otherwise, the unencrypted