Allow CLAMPMSS to set an explicit MSS value

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1679 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-10-13 00:42:26 +00:00
parent d64c7fd3e6
commit d60d81ca35
4 changed files with 37 additions and 5 deletions

View File

@ -104,3 +104,5 @@ Changes since 2.0.3
49) Correct logmartians handling.
50) Add a clarification and fix a typo in the blacklist file.
51) Allow setting a specify MSS value.

View File

@ -5475,9 +5475,16 @@ initialize_netfilter () {
run_iptables -A $chain -p ! icmp -m state --state INVALID -j DROP
done
[ -n "$CLAMPMSS" ] && \
run_iptables -A FORWARD -p tcp \
--tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
if [ -n "$CLAMPMSS" ]; then
case $CLAMPMSS in
Yes)
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
;;
*)
run_iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss $CLAMPMSS
;;
esac
fi
if [ -z "$NEWNOTSYN" ]; then
createchain newnotsyn no
@ -6957,8 +6964,15 @@ do_initialize() {
fi
[ -z "$BLACKLIST_DISPOSITION" ] && BLACKLIST_DISPOSITION=DROP
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
case "$CLAMPMSS" in
[0-9]*)
;;
*)
CLAMPMSS=$(added_param_value_no CLAMPMSS $CLAMPMSS)
;;
esac
ADD_SNAT_ALIASES=$(added_param_value_no ADD_SNAT_ALIASES $ADD_SNAT_ALIASES)
ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)

View File

@ -551,3 +551,11 @@ New Features:
If you wish to globally enable martian logging, you can set
MARTIAN_LOGGING=Yes in shorewall.conf.
22) You may now cause Shorewall to use the '--set-mss' option of the
TCPMSS target. In other words, you can cause Shorewall to set the
MSS field of SYN packets passing through the firewall to the value
you specify.
Example:
CLAMPMSS=1400

View File

@ -444,6 +444,14 @@ MARK_IN_FORWARD_CHAIN=No
#
# If left blank, or set to "No" or "no", the option is not enabled.
#
# You may also set this option to a numeric value in which case Shorewall will
# set up a rule that will modify the MSS value in SYN packets to the value that
# you specify.
#
# Example:
#
# CLAMPMSS=1400
#
CLAMPMSS=No
#