forked from extern/shorewall_code
Reimplement IPSEC MSS setting
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1695 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
86b24f688e
commit
63dc4470ca
@ -109,4 +109,4 @@ Changes since 2.0.3
|
||||
|
||||
52) Detect duplicate zone names.
|
||||
|
||||
53) Add MSS column to the ipsec file.
|
||||
53) Add mss=<number> option to the ipsec file.
|
||||
|
@ -1746,12 +1746,32 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
|
||||
setup_ipsec() {
|
||||
|
||||
set_mss() # $1 = chain
|
||||
set_mss1() # $1 = chain, $2 = MSS
|
||||
{
|
||||
eval local policy=\$${1}_policy
|
||||
if [ "$policy" != NONE ]; then
|
||||
ensurechain $1
|
||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss
|
||||
run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
|
||||
fi
|
||||
}
|
||||
|
||||
set_mss() # $1 = MSS value, $2 = _in, _out or ""
|
||||
{
|
||||
if [ $COMMAND != check ]; then
|
||||
for z in $zones; do
|
||||
case $2 in
|
||||
_in)
|
||||
set_mss1 ${z}2${zone} $1
|
||||
;;
|
||||
_out)
|
||||
set_mss1 ${zone}2${z} $1
|
||||
;;
|
||||
*)
|
||||
set_mss1 ${z}2${zone} $1
|
||||
set_mss1 ${zone}2${z} $1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
@ -1779,6 +1799,7 @@ setup_ipsec() {
|
||||
mode!=*) newoptions="$newoptions ! --mode ${option#*=}" ;;
|
||||
tunnel-src!=*) newoptions="$newoptions ! --tunnel-src ${option#*=}" ;;
|
||||
tunnel-dst!=*) newoptions="$newoptions ! --tunnel-dst ${option#*=}" ;;
|
||||
mss=[0-9]*) set_mss ${option#*=} $1 ;;
|
||||
*) fatal_error "Invalid option \"$option\" for zone $zone" ;;
|
||||
esac
|
||||
done
|
||||
@ -1814,15 +1835,6 @@ setup_ipsec() {
|
||||
do_options "_in" $in_options
|
||||
do_options "_out" $out_options
|
||||
|
||||
if [ $COMMAND != check -a -n "$mss" -a "x$mss" != "x-" ]; then
|
||||
for z in $zones; do
|
||||
if [ $z != $zone ]; then
|
||||
set_mss ${z}2${zone}
|
||||
set_mss ${zone}2${z}
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/ipsec
|
||||
}
|
||||
|
||||
|
@ -26,6 +26,8 @@
|
||||
#
|
||||
# proto=ah|esp|ipcomp
|
||||
#
|
||||
# mss=<number> (sets the MSS field in TCP packets)
|
||||
#
|
||||
# mode=transport|tunnel
|
||||
#
|
||||
# tunnel-src=<address>[/<mask>] (only
|
||||
@ -42,9 +44,6 @@
|
||||
# Example:
|
||||
# mode=transport,reqid=44
|
||||
#
|
||||
# MSS The value that Shorewall should set the MSS field in
|
||||
# SYN packets to/from this zone.
|
||||
#
|
||||
# The options in the OPTIONS column are applied to both incoming
|
||||
# and outgoing traffic. The IN OPTIONS are applied to incoming
|
||||
# traffic (in addition to OPTIONS) and the OUT OPTIONS are
|
||||
@ -53,7 +52,7 @@
|
||||
# If you wish to leave a column empty but need to make an entry
|
||||
# in a following column, use "-".
|
||||
###################################################################################
|
||||
#ZONE IPSEC OPTIONS IN OUT MSS
|
||||
#ZONE IPSEC OPTIONS IN OUT
|
||||
# ONLY OPTIONS OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
||||
|
@ -383,7 +383,7 @@ New Features:
|
||||
entry.
|
||||
|
||||
The OPTIONS, IN OPTIONS and OUT OPTIONS columns specify the
|
||||
input-output, input and output characteristing of the security
|
||||
input-output, input and output characteristics of the security
|
||||
policies to be used to decrypt (input) or encrypt (output) traffic
|
||||
to/from the zone.
|
||||
|
||||
@ -399,6 +399,9 @@ New Features:
|
||||
|
||||
proto[!]=ah|esp|ipcomp
|
||||
|
||||
mss=<number> (sets the MSS value in TCP SYN packets and is not
|
||||
related to policy matching)
|
||||
|
||||
mode[!]=transport|tunnel
|
||||
|
||||
tunnel-src[!]=<address>[/<mask>] (only available with mode=tunnel)
|
||||
@ -420,12 +423,6 @@ New Features:
|
||||
vpn Yes mode=tunnel,proto=esp spi=1000 spi=1001
|
||||
loc No reqid=44,mode=transport
|
||||
|
||||
The last column (MSS) in the /etc/shorewall/ipsec file is intended
|
||||
to help compensate for the fact that there is no longer a
|
||||
pseudo-interface (e.g., ipsec0) with it's own MTU. If you specify a
|
||||
number in this column, Shorewall will generate rules to set the MSS
|
||||
field in TCP SYN packets the the value of that field.
|
||||
|
||||
The /etc/shorewall/masq file has a new IPSEC column added. If you
|
||||
specify Yes or yes in that column then the unencrypted packets will
|
||||
have their source address changed. Otherwise, the unencrypted
|
||||
|
Loading…
Reference in New Issue
Block a user