Reimplement IPSEC MSS setting

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1695 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-15 20:00:48 +00:00
parent 86b24f688e
commit 63dc4470ca
4 changed files with 33 additions and 25 deletions

View File

@ -109,4 +109,4 @@ Changes since 2.0.3
52) Detect duplicate zone names. 52) Detect duplicate zone names.
53) Add MSS column to the ipsec file. 53) Add mss=<number> option to the ipsec file.

View File

@ -1746,12 +1746,32 @@ setup_tunnels() # $1 = name of tunnels file
setup_ipsec() { setup_ipsec() {
set_mss() # $1 = chain set_mss1() # $1 = chain, $2 = MSS
{ {
eval local policy=\$${1}_policy eval local policy=\$${1}_policy
if [ "$policy" != NONE ]; then if [ "$policy" != NONE ]; then
ensurechain $1 ensurechain $1
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
fi
}
set_mss() # $1 = MSS value, $2 = _in, _out or ""
{
if [ $COMMAND != check ]; then
for z in $zones; do
case $2 in
_in)
set_mss1 ${z}2${zone} $1
;;
_out)
set_mss1 ${zone}2${z} $1
;;
*)
set_mss1 ${z}2${zone} $1
set_mss1 ${zone}2${z} $1
;;
esac
done
fi fi
} }
@ -1779,6 +1799,7 @@ setup_ipsec() {
mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;; mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;;
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;; tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;; tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
mss=[0-9]*) set_mss ${option#*=} $1 ;;
*) fatal_error "Invalid option \"$option\" for zone $zone" ;; *) fatal_error "Invalid option \"$option\" for zone $zone" ;;
esac esac
done done
@ -1814,15 +1835,6 @@ setup_ipsec() {
do_options "_in" $in_options do_options "_in" $in_options
do_options "_out" $out_options do_options "_out" $out_options
if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then
for z in $zones; do
if [ $z != $zone ]; then
set_mss ${z}2${zone}
set_mss ${zone}2${z}
fi
done
fi
done < $TMP_DIR/ipsec done < $TMP_DIR/ipsec
} }

View File

@ -26,6 +26,8 @@
# #
# proto=ah|esp|ipcomp # proto=ah|esp|ipcomp
# #
# mss=<number> (sets the MSS field in TCP packets)
#
# mode=transport|tunnel # mode=transport|tunnel
# #
# tunnel-src=<address>[/<mask>] (only # tunnel-src=<address>[/<mask>] (only
@ -42,9 +44,6 @@
# Example: # Example:
# mode=transport,reqid=44 # mode=transport,reqid=44
# #
# MSS The value that Shorewall should set the MSS field in
# SYN packets to/from this zone.
#
# The options in the OPTIONS column are applied to both incoming # The options in the OPTIONS column are applied to both incoming
# and outgoing traffic. The IN OPTIONS are applied to incoming # and outgoing traffic. The IN OPTIONS are applied to incoming
# traffic (in addition to OPTIONS) and the OUT OPTIONS are # traffic (in addition to OPTIONS) and the OUT OPTIONS are
@ -53,7 +52,7 @@
# If you wish to leave a column empty but need to make an entry # If you wish to leave a column empty but need to make an entry
# in a following column, use "-". # in a following column, use "-".
################################################################################### ###################################################################################
#ZONE IPSEC OPTIONS IN OUT MSS #ZONE IPSEC OPTIONS IN OUT
# ONLY OPTIONS OPTIONS # ONLY OPTIONS OPTIONS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

View File

@ -383,7 +383,7 @@ New Features:
entry. entry.
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
input-output, input and output characteristing of the security input-output, input and output characteristics of the security
policies to be used to decrypt (input) or encrypt (output) traffic policies to be used to decrypt (input) or encrypt (output) traffic
to/from the zone. to/from the zone.
@ -399,6 +399,9 @@ New Features:
proto[!]=ah|esp|ipcomp proto[!]=ah|esp|ipcomp
mss=<number> (sets the MSS value in TCP SYN packets and is not
related to policy matching)
mode[!]=transport|tunnel mode[!]=transport|tunnel
tunnel-src[!]=<address>[/<mask>] (only available with mode=tunnel) tunnel-src[!]=<address>[/<mask>] (only available with mode=tunnel)
@ -420,12 +423,6 @@ New Features:
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001 vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
loc No reqid=44,mode=transport loc No reqid=44,mode=transport
The last column (MSS) in the /etc/shorewall/ipsec file is intended
to help compensate for the fact that there is no longer a
pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a
number in this column, Shorewall will generate rules to set the MSS
field in TCP SYN packets the the value of that field.
The /etc/shorewall/masq file has a new IPSEC column added. If you The /etc/shorewall/masq file has a new IPSEC column added. If you
specify Yes or yes in that column then the unencrypted packets will specify Yes or yes in that column then the unencrypted packets will
have their source address changed. Otherwise, the unencrypted have their source address changed. Otherwise, the unencrypted