Merge pull request #1557 from initramfs/equuleus-fix-tcp-mss

firewall: T4709: fix firewall MSS clamping issues

1 files changed, 10 insertions, 4 deletions

diff --git a/src/conf_mode/firewall_options.py b/src/conf_mode/firewall_options.py
index 67bf5d0e2..b7f4aa82c 100755
--- a/src/conf_mode/firewall_options.py
+++ b/src/conf_mode/firewall_options.py
@@ -115,9 +115,12 @@ def apply(tcp):
                 continue
 
             # adjust TCP MSS per interface
-            if mss:
+            if mss == 'clamp-mss-to-pmtu':
                 call('iptables --table mangle --append {} --out-interface {} --protocol tcp '
-                          '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss))
+                     '--tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu >&/dev/null'.format(target, intf))
+            elif mss:
+                call('iptables --table mangle --append {} --out-interface {} --protocol tcp '
+                     '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss))
 
     # Setup new ip6tables rules
     if tcp['new_chain6']:
@@ -133,9 +136,12 @@ def apply(tcp):
                 continue
 
             # adjust TCP MSS per interface
-            if mss:
+            if mss == 'clamp-mss-to-pmtu':
+                call('ip6tables --table mangle --append {} --out-interface {} --protocol tcp '
+                     '--tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu >&/dev/null'.format(target, intf))
+            elif mss:
                 call('ip6tables --table mangle --append {} --out-interface {} --protocol tcp '
-                    '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss))
+                     '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss))
 
     return None