Don't increase MSS

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6539 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/lib.config

@@ -413,7 +413,7 @@ setup_ipsec() {
 
 	if [ "$policy" != NONE ]; then
 	    ensurechain $1
-	    run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $2
+	    run_iptables -I $1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $2: -j TCPMSS --set-mss $2
 	fi
     }
     #

Shorewall-common/releasenotes.txt

@@ -36,7 +36,7 @@ Other changes in Shorewall 4.0.0 Beta 5.
 
     The compiler program is /usr/share/shorewall-perl/compiler.pl:
 
-	compiler.pl [ <options> ] [ <filename> ]
+	compiler.pl [ <option> ... ] [ <filename> ]
 
     If a <filename> is given, then the configuration will be compiled
     output placed in the named file. If <filename> is not given, then

Shorewall-perl/Shorewall/Chains.pm

@@ -699,7 +699,7 @@ sub set_mss1( $$ ) {
     my $chainref = ensure_chain 'filter', $chain;
 
     if ( $chainref->{policy} ne 'NONE' ) {
-	insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $mss"
+	insert_rule $chainref, 1, "-p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss $mss: -j TCPMSS --set-mss $mss"
     }
 }
 

Shorewall-perl/Shorewall/Rules.pm

@@ -1777,9 +1777,17 @@ sub generate_matrix() {
 
 sub setup_mss( $ ) {
     my $clampmss = $_[0];
-    my $option = "\L$clampmss" eq 'yes' ? '--clamp-mss-to-pmtu' : '--set-mss $clampmss';
+    my $option;
+    my $match = '';
 
-    add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN -j TCPMSS $option";
+    if ( "\L$clampmss" eq 'yes' ) {
+	$option = '--clamp-mss-to-pmtu';
+    } else {
+	$match  = "-m tcpmss --mss $clampmss: ";
+	$option = '--set-mss $clampmss';
+    }
+    
+    add_rule $filter_table->{FORWARD} , "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS $option";
 }
 
 sub dump_rule_chains() {