diff options
author | Christian Poessinger <christian@poessinger.com> | 2019-04-21 13:19:12 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2019-04-21 13:19:12 +0200 |
commit | 476aa4c3a561ea0ef0bf9b4c26ec8b78d18a5d02 (patch) | |
tree | c3001c3c6619a39e12c712909518769391a03a71 /interface-definitions/firewall-options.xml | |
parent | afbd14c8a97984f7b1385ee6eaff08a7e2264956 (diff) | |
download | vyos-1x-476aa4c3a561ea0ef0bf9b4c26ec8b78d18a5d02.tar.gz vyos-1x-476aa4c3a561ea0ef0bf9b4c26ec8b78d18a5d02.zip |
[firewall] T314: add firewall options for MSS clamping
* clamp MSS IPv4
set firewall options interface pppoe0 adjust-mss '1452'
* clamp MSS IPv6
set firewall options interface pppoe0 adjust-mss6 '1452'
* disable entire rule
set firewall options interface pppoe0 disable
Output
------
$ sudo iptables-save -t mangle
# Generated by iptables-save v1.4.21 on Sun Apr 21 12:56:25 2019
*mangle
:PREROUTING ACCEPT [1217:439885]
:INPUT ACCEPT [290:52459]
:FORWARD ACCEPT [920:375774]
:OUTPUT ACCEPT [301:100053]
:POSTROUTING ACCEPT [1221:475827]
:VYOS_FW_OPTIONS - [0:0]
-A FORWARD -j VYOS_FW_OPTIONS
-A VYOS_FW_OPTIONS -o pppoe0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
COMMIT
Completed on Sun Apr 21 12:56:25 2019
Diffstat (limited to 'interface-definitions/firewall-options.xml')
-rw-r--r-- | interface-definitions/firewall-options.xml | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/interface-definitions/firewall-options.xml b/interface-definitions/firewall-options.xml new file mode 100644 index 000000000..2936cc703 --- /dev/null +++ b/interface-definitions/firewall-options.xml @@ -0,0 +1,55 @@ +<?xml version="1.0"?> +<interfaceDefinition> + <node name="firewall"> + <children> + <node name="options"> + <properties> + <help>Firewall options/Packet manipulation</help> + <priority>990</priority> + </properties> + <children> + <tagNode name="interface" owner="sudo ${vyos_conf_scripts_dir}/firewall_options.py"> + <properties> + <help>Interface clamping options</help> + <completionHelp> + <script>${vyos_completion_dir}/list_interfaces.py</script> + </completionHelp> + </properties> + <children> + <leafNode name="disable"> + <properties> + <help>Disable this rule</help> + <valueless/> + </properties> + </leafNode> + <leafNode name="adjust-mss"> + <properties> + <help>Adjust MSS for IPv4 transit packets</help> + <valueHelp> + <format>500-1460</format> + <description>TCP Maximum segment size in bytes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 500-1460"/> + </constraint> + </properties> + </leafNode> + <leafNode name="adjust-mss6"> + <properties> + <help>Adjust MSS for IPv6 transit packets</help> + <valueHelp> + <format>1280-1492</format> + <description>TCP Maximum segment size in bytes</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1280-1492"/> + </constraint> + </properties> + </leafNode> + </children> + </tagNode> + </children> + </node> + </children> + </node> +</interfaceDefinition> |