diff options
| author | initramfs <initramfs@initramfs.io> | 2022-09-26 11:01:02 +0800 |
|---|---|---|
| committer | initramfs <initramfs@initramfs.io> | 2022-09-26 11:01:02 +0800 |
| commit | 7709663c61f988cc60444fa932164f4931dfa7e3 (patch) | |
| tree | 872363bf9534053a127d1aae13f5cf401531410b | |
| parent | 435016fdb353b79577c40baa23af8e01fcadd098 (diff) | |
| download | vyos-1x-7709663c61f988cc60444fa932164f4931dfa7e3.tar.gz vyos-1x-7709663c61f988cc60444fa932164f4931dfa7e3.zip | |
firewall: T4709: adjust TCP MSS clamping ranges and options
This commit fixes MSS clamping ranges as well as reintroduces the
clamp-mss-to-pmtu option value to clamp to PMTU instead.
| -rw-r--r-- | interface-definitions/firewall-options.xml.in | 24 | ||||
| -rwxr-xr-x | src/conf_mode/firewall_options.py | 14 |
2 files changed, 30 insertions, 8 deletions
diff --git a/interface-definitions/firewall-options.xml.in b/interface-definitions/firewall-options.xml.in index 8d9225a9a..1bcee2011 100644 --- a/interface-definitions/firewall-options.xml.in +++ b/interface-definitions/firewall-options.xml.in @@ -20,24 +20,40 @@ <leafNode name="adjust-mss"> <properties> <help>Adjust MSS for IPv4 transit packets</help> + <completionHelp> + <list>clamp-mss-to-pmtu</list> + </completionHelp> <valueHelp> - <format>500-1460</format> + <format>clamp-mss-to-pmtu</format> + <description>Automatically sets the MSS to the proper value</description> + </valueHelp> + <valueHelp> + <format>536-65535</format> <description>TCP Maximum segment size in bytes</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 500-1460"/> + <validator name="numeric" argument="--range 536-65535"/> + <regex>(clamp-mss-to-pmtu)</regex> </constraint> </properties> </leafNode> <leafNode name="adjust-mss6"> <properties> <help>Adjust MSS for IPv6 transit packets</help> + <completionHelp> + <list>clamp-mss-to-pmtu</list> + </completionHelp> + <valueHelp> + <format>clamp-mss-to-pmtu</format> + <description>Automatically sets the MSS to the proper value</description> + </valueHelp> <valueHelp> - <format>1280-1492</format> + <format>1220-65535</format> <description>TCP Maximum segment size in bytes</description> </valueHelp> <constraint> - <validator name="numeric" argument="--range 1280-1492"/> + <validator name="numeric" argument="--range 1220-65535"/> + <regex>(clamp-mss-to-pmtu)</regex> </constraint> </properties> </leafNode> diff --git a/src/conf_mode/firewall_options.py b/src/conf_mode/firewall_options.py index 67bf5d0e2..b7f4aa82c 100755 --- a/src/conf_mode/firewall_options.py +++ b/src/conf_mode/firewall_options.py @@ -115,9 +115,12 @@ def apply(tcp): continue # adjust TCP MSS per interface - if mss: + if mss == 'clamp-mss-to-pmtu': call('iptables --table mangle --append {} --out-interface {} --protocol tcp ' - '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) + '--tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu >&/dev/null'.format(target, intf)) + elif mss: + call('iptables --table mangle --append {} --out-interface {} --protocol tcp ' + '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) # Setup new ip6tables rules if tcp['new_chain6']: @@ -133,9 +136,12 @@ def apply(tcp): continue # adjust TCP MSS per interface - if mss: + if mss == 'clamp-mss-to-pmtu': + call('ip6tables --table mangle --append {} --out-interface {} --protocol tcp ' + '--tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu >&/dev/null'.format(target, intf)) + elif mss: call('ip6tables --table mangle --append {} --out-interface {} --protocol tcp ' - '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) + '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) return None |