diff options
3 files changed, 61 insertions, 0 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index e62d198..7b6c82b 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -26,6 +26,7 @@ my %fields = ( _icmpv6_type => undef, _mod_mark => undef, _mod_dscp => undef, + _mod_tcpmss => undef, _ipsec => undef, _non_ipsec => undef, _frag => undef, @@ -77,6 +78,7 @@ my %dummy_rule = ( _icmpv6_type => undef, _mod_mark => undef, _mod_dscp => undef, + _mod_tcpmss => undef, _ipsec => undef, _non_ipsec => undef, _frag => undef, @@ -166,6 +168,7 @@ sub setup_base { $self->{_icmpv6_type} = $config->$val_func("icmpv6 type"); $self->{_mod_mark} = $config->$val_func("modify mark"); $self->{_mod_dscp} = $config->$val_func("modify dscp"); + $self->{_mod_tcpmss} = $config->$val_func("modify tcp-mss"); $self->{_ipsec} = $config->$exists_func("ipsec match-ipsec"); $self->{_non_ipsec} = $config->$exists_func("ipsec match-none"); $self->{_frag} = $config->$exists_func("fragment match-frag"); @@ -242,6 +245,7 @@ sub print { if defined $self->{_icmpv6_type}; print "mod mark: $self->{_mod_mark}\n" if defined $self->{_mod_mark}; print "mod dscp: $self->{_mod_dscp}\n" if defined $self->{_mod_dscp}; + print "mod tcp-mss: $self->{_mod_tcpmss}\n" if defined $self->{_mod_tcpmss}; $src->print(); $dst->print(); @@ -580,6 +584,21 @@ first character capitalized eg. Mon,Thu,Sat For negation, add ! in front eg. !Mo $rule .= "-j DSCP --set-dscp $self->{_mod_dscp} "; $count++; } + if (defined($self->{_mod_tcpmss})) { + # TCP-MSS + # check for SYN flag + if (!defined $self->{_tcp_flags} || + !(($self->{_tcp_flags} =~ m/SYN/) && !($self->{_tcp_flags} =~ m/!SYN/))) { + return ('need to set TCP SYN flag to modify TCP MSS', ); + } + + if ($self->{_mod_tcpmss} =~ m/\d/) { + $rule .= "-j TCPMSS --set-mss $self->{_mod_tcpmss} "; + } else { + $rule .= "-j TCPMSS --clamp-mss-to-pmtu "; + } + $count++; + } # others diff --git a/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def new file mode 100644 index 0000000..8d2248e --- /dev/null +++ b/templates/firewall/ipv6-modify/node.tag/rule/node.tag/modify/tcp-mss/node.def @@ -0,0 +1,21 @@ +type: txt +help: TCP Maximum Segment Size + +syntax:expression: +exec " +if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ + if [ $VAR(@) == \"pmtu\" ]; then \ + exit 0; \ + fi; \ +else \ + if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ + ( $VAR(@) -ge \"500\" ) && \ + ( $VAR(@) -le \"1460\" ) ]]; then \ + exit 0; \ + fi; \ +fi; \ +echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ +exit 1" + +val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 60 bytes +val_help: 500-1460; Explicitly set TCP MSS value diff --git a/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def b/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def new file mode 100644 index 0000000..7a61966 --- /dev/null +++ b/templates/firewall/modify/node.tag/rule/node.tag/modify/tcp-mss/node.def @@ -0,0 +1,21 @@ +type: txt +help: TCP Maximum Segment Size + +syntax:expression: +exec " +if [[ $VAR(@) =~ ^[[:alpha:]]*$ ]]; then \ + if [ $VAR(@) == \"pmtu\" ]; then \ + exit 0; \ + fi; \ +else \ + if [[ ( $VAR(@) =~ ^[[:digit:]]*$ ) && \ + ( $VAR(@) -ge \"500\" ) && \ + ( $VAR(@) -le \"1460\" ) ]]; then \ + exit 0; \ + fi; \ +fi; \ +echo Value must be \\'pmtu\\' or a number between 500 and 1460; \ +exit 1" + +val_help: pmtu; Automatically set to Path Maximum Transfer Unit minus 40 bytes +val_help: 500-1460; Explicitly set TCP MSS value |