summaryrefslogtreecommitdiff
path: root/python/vyos/ifconfig/interface.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2021-08-19 18:14:13 +0200
committerChristian Poessinger <christian@poessinger.com>2021-08-21 15:26:35 +0200
commitb7bfcb6ef0e712bb8c39241051e716a833b2ffe8 (patch)
tree6bc7ae43df3fd7e20976dad68cf98a856b236cab /python/vyos/ifconfig/interface.py
parent6bd780887c0e13dc9272ec499ebc6f01cfaf7ea6 (diff)
downloadvyos-1x-b7bfcb6ef0e712bb8c39241051e716a833b2ffe8.tar.gz
vyos-1x-b7bfcb6ef0e712bb8c39241051e716a833b2ffe8.zip
interfaces: T3090: migrate adjust-mss from "firewall options" to "interface" level
Getting rid of "set firewall options" and move it from: set firewall options interface ethX adjust-mss 1400 set firewall options interface ethX adjust-mss6 1400 to: set interfaces ethernet ethX ip adjust-mss 1400 set interfaces ethernet ethX ipv6 adjust-mss 1400 In addition add an extra option called clamp-mss-to-pmtu instead of a value.
Diffstat (limited to 'python/vyos/ifconfig/interface.py')
-rwxr-xr-xpython/vyos/ifconfig/interface.py66
1 files changed, 66 insertions, 0 deletions
diff --git a/python/vyos/ifconfig/interface.py b/python/vyos/ifconfig/interface.py
index a1928ba51..53b57a83f 100755
--- a/python/vyos/ifconfig/interface.py
+++ b/python/vyos/ifconfig/interface.py
@@ -436,6 +436,62 @@ class Interface(Control):
"""
return self.set_interface('arp_cache_tmo', tmo)
+ def set_tcp_ipv4_mss(self, mss):
+ """
+ Set IPv4 TCP MSS value advertised when TCP SYN packets leave this
+ interface. Value is in bytes.
+
+ A value of 0 will disable the MSS adjustment
+
+ Example:
+ >>> from vyos.ifconfig import Interface
+ >>> Interface('eth0').set_tcp_ipv4_mss(1340)
+ """
+ iptables_bin = 'iptables'
+ base_options = f'-A FORWARD -o {self.ifname} -p tcp -m tcp --tcp-flags SYN,RST SYN'
+ out = self._cmd(f'{iptables_bin}-save -t mangle')
+ for line in out.splitlines():
+ if line.startswith(base_options):
+ # remove OLD MSS mangling configuration
+ line = line.replace('-A FORWARD', '-D FORWARD')
+ self._cmd(f'{iptables_bin} -t mangle {line}')
+
+ cmd_mss = f'{iptables_bin} -t mangle {base_options} --jump TCPMSS'
+ if mss == 'clamp-mss-to-pmtu':
+ self._cmd(f'{cmd_mss} --clamp-mss-to-pmtu')
+ elif int(mss) > 0:
+ # probably add option to clamp only if bigger:
+ low_mss = str(int(mss) + 1)
+ self._cmd(f'{cmd_mss} -m tcpmss --mss {low_mss}:65535 --set-mss {mss}')
+
+ def set_tcp_ipv6_mss(self, mss):
+ """
+ Set IPv6 TCP MSS value advertised when TCP SYN packets leave this
+ interface. Value is in bytes.
+
+ A value of 0 will disable the MSS adjustment
+
+ Example:
+ >>> from vyos.ifconfig import Interface
+ >>> Interface('eth0').set_tcp_mss(1320)
+ """
+ iptables_bin = 'ip6tables'
+ base_options = f'-A FORWARD -o {self.ifname} -p tcp -m tcp --tcp-flags SYN,RST SYN'
+ out = self._cmd(f'{iptables_bin}-save -t mangle')
+ for line in out.splitlines():
+ if line.startswith(base_options):
+ # remove OLD MSS mangling configuration
+ line = line.replace('-A FORWARD', '-D FORWARD')
+ self._cmd(f'{iptables_bin} -t mangle {line}')
+
+ cmd_mss = f'{iptables_bin} -t mangle {base_options} --jump TCPMSS'
+ if mss == 'clamp-mss-to-pmtu':
+ self._cmd(f'{cmd_mss} --clamp-mss-to-pmtu')
+ elif int(mss) > 0:
+ # probably add option to clamp only if bigger:
+ low_mss = str(int(mss) + 1)
+ self._cmd(f'{cmd_mss} -m tcpmss --mss {low_mss}:65535 --set-mss {mss}')
+
def set_arp_filter(self, arp_filter):
"""
Filter ARP requests
@@ -1202,6 +1258,16 @@ class Interface(Control):
# checked before
self.set_vrf(config.get('vrf', ''))
+ # Configure MSS value for IPv4 TCP connections
+ tmp = dict_search('ip.adjust_mss', config)
+ value = tmp if (tmp != None) else '0'
+ self.set_tcp_ipv4_mss(value)
+
+ # Configure MSS value for IPv6 TCP connections
+ tmp = dict_search('ipv6.adjust_mss', config)
+ value = tmp if (tmp != None) else '0'
+ self.set_tcp_ipv6_mss(value)
+
# Configure ARP cache timeout in milliseconds - has default value
tmp = dict_search('ip.arp_cache_timeout', config)
value = tmp if (tmp != None) else '30'