forked from extern/shorewall_code
Reimplement IPSEC MSS setting
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1695 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
86b24f688e
commit
63dc4470ca
@ -109,4 +109,4 @@ Changes since 2.0.3
|
|||||||
|
|
||||||
52) Detect duplicate zone names.
|
52) Detect duplicate zone names.
|
||||||
|
|
||||||
53) Add MSS column to the ipsec file.
|
53) Add mss=<number> option to the ipsec file.
|
||||||
|
@ -1746,12 +1746,32 @@ setup_tunnels() # $1 = name of tunnels file
|
|||||||
|
|
||||||
setup_ipsec() {
|
setup_ipsec() {
|
||||||
|
|
||||||
set_mss() # $1 = chain
|
set_mss1() # $1 = chain, $2 = MSS
|
||||||
{
|
{
|
||||||
eval local policy=\$${1}_policy
|
eval local policy=\$${1}_policy
|
||||||
if [ "$policy" != NONE ]; then
|
if [ "$policy" != NONE ]; then
|
||||||
ensurechain $1
|
ensurechain $1
|
||||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss
|
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
set_mss() # $1 = MSS value, $2 = _in, _out or ""
|
||||||
|
{
|
||||||
|
if [ $COMMAND != check ]; then
|
||||||
|
for z in $zones; do
|
||||||
|
case $2 in
|
||||||
|
_in)
|
||||||
|
set_mss1 ${z}2${zone} $1
|
||||||
|
;;
|
||||||
|
_out)
|
||||||
|
set_mss1 ${zone}2${z} $1
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
set_mss1 ${z}2${zone} $1
|
||||||
|
set_mss1 ${zone}2${z} $1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1779,6 +1799,7 @@ setup_ipsec() {
|
|||||||
mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;;
|
mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;;
|
||||||
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
|
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
|
||||||
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
|
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
|
||||||
|
mss=[0-9]*) set_mss ${option#*=} $1 ;;
|
||||||
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
@ -1813,15 +1834,6 @@ setup_ipsec() {
|
|||||||
do_options "" $options
|
do_options "" $options
|
||||||
do_options "_in" $in_options
|
do_options "_in" $in_options
|
||||||
do_options "_out" $out_options
|
do_options "_out" $out_options
|
||||||
|
|
||||||
if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then
|
|
||||||
for z in $zones; do
|
|
||||||
if [ $z != $zone ]; then
|
|
||||||
set_mss ${z}2${zone}
|
|
||||||
set_mss ${zone}2${z}
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
|
|
||||||
done < $TMP_DIR/ipsec
|
done < $TMP_DIR/ipsec
|
||||||
}
|
}
|
||||||
|
@ -24,7 +24,9 @@
|
|||||||
# spi=<number> where <number> is the SPI of
|
# spi=<number> where <number> is the SPI of
|
||||||
# the SA used to encrypt/decrypt packets.
|
# the SA used to encrypt/decrypt packets.
|
||||||
#
|
#
|
||||||
# proto=ah|esp|ipcomp
|
# proto=ah|esp|ipcomp
|
||||||
|
#
|
||||||
|
# mss=<number> (sets the MSS field in TCP packets)
|
||||||
#
|
#
|
||||||
# mode=transport|tunnel
|
# mode=transport|tunnel
|
||||||
#
|
#
|
||||||
@ -42,9 +44,6 @@
|
|||||||
# Example:
|
# Example:
|
||||||
# mode=transport,reqid=44
|
# mode=transport,reqid=44
|
||||||
#
|
#
|
||||||
# MSS The value that Shorewall should set the MSS field in
|
|
||||||
# SYN packets to/from this zone.
|
|
||||||
#
|
|
||||||
# The options in the OPTIONS column are applied to both incoming
|
# The options in the OPTIONS column are applied to both incoming
|
||||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||||
@ -53,7 +52,7 @@
|
|||||||
# If you wish to leave a column empty but need to make an entry
|
# If you wish to leave a column empty but need to make an entry
|
||||||
# in a following column, use "-".
|
# in a following column, use "-".
|
||||||
###################################################################################
|
###################################################################################
|
||||||
#ZONE IPSEC OPTIONS IN OUT MSS
|
#ZONE IPSEC OPTIONS IN OUT
|
||||||
# ONLY OPTIONS OPTIONS
|
# ONLY OPTIONS OPTIONS
|
||||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||||
|
|
||||||
|
@ -383,7 +383,7 @@ New Features:
|
|||||||
entry.
|
entry.
|
||||||
|
|
||||||
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
|
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
|
||||||
input-output, input and output characteristing of the security
|
input-output, input and output characteristics of the security
|
||||||
policies to be used to decrypt (input) or encrypt (output) traffic
|
policies to be used to decrypt (input) or encrypt (output) traffic
|
||||||
to/from the zone.
|
to/from the zone.
|
||||||
|
|
||||||
@ -397,7 +397,10 @@ New Features:
|
|||||||
option should only be listed in the IN OPTIONS and OUT OPTIONS
|
option should only be listed in the IN OPTIONS and OUT OPTIONS
|
||||||
columns.
|
columns.
|
||||||
|
|
||||||
proto[!]=ah|esp|ipcomp
|
proto[!]=ah|esp|ipcomp
|
||||||
|
|
||||||
|
mss=<number> (sets the MSS value in TCP SYN packets and is not
|
||||||
|
related to policy matching)
|
||||||
|
|
||||||
mode[!]=transport|tunnel
|
mode[!]=transport|tunnel
|
||||||
|
|
||||||
@ -420,12 +423,6 @@ New Features:
|
|||||||
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
|
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
|
||||||
loc No reqid=44,mode=transport
|
loc No reqid=44,mode=transport
|
||||||
|
|
||||||
The last column (MSS) in the /etc/shorewall/ipsec file is intended
|
|
||||||
to help compensate for the fact that there is no longer a
|
|
||||||
pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a
|
|
||||||
number in this column, Shorewall will generate rules to set the MSS
|
|
||||||
field in TCP SYN packets the the value of that field.
|
|
||||||
|
|
||||||
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||||
specify Yes or yes in that column then the unencrypted packets will
|
specify Yes or yes in that column then the unencrypted packets will
|
||||||
have their source address changed. Otherwise, the unencrypted
|
have their source address changed. Otherwise, the unencrypted
|
||||||
|
Loading…
Reference in New Issue
Block a user