From 7709663c61f988cc60444fa932164f4931dfa7e3 Mon Sep 17 00:00:00 2001 From: initramfs Date: Mon, 26 Sep 2022 11:01:02 +0800 Subject: firewall: T4709: adjust TCP MSS clamping ranges and options This commit fixes MSS clamping ranges as well as reintroduces the clamp-mss-to-pmtu option value to clamp to PMTU instead. --- interface-definitions/firewall-options.xml.in | 24 ++++++++++++++++++++---- src/conf_mode/firewall_options.py | 14 ++++++++++---- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/interface-definitions/firewall-options.xml.in b/interface-definitions/firewall-options.xml.in index 8d9225a9a..1bcee2011 100644 --- a/interface-definitions/firewall-options.xml.in +++ b/interface-definitions/firewall-options.xml.in @@ -20,24 +20,40 @@ Adjust MSS for IPv4 transit packets + + clamp-mss-to-pmtu + - 500-1460 + clamp-mss-to-pmtu + Automatically sets the MSS to the proper value + + + 536-65535 TCP Maximum segment size in bytes - + + (clamp-mss-to-pmtu) Adjust MSS for IPv6 transit packets + + clamp-mss-to-pmtu + + + clamp-mss-to-pmtu + Automatically sets the MSS to the proper value + - 1280-1492 + 1220-65535 TCP Maximum segment size in bytes - + + (clamp-mss-to-pmtu) diff --git a/src/conf_mode/firewall_options.py b/src/conf_mode/firewall_options.py index 67bf5d0e2..b7f4aa82c 100755 --- a/src/conf_mode/firewall_options.py +++ b/src/conf_mode/firewall_options.py @@ -115,9 +115,12 @@ def apply(tcp): continue # adjust TCP MSS per interface - if mss: + if mss == 'clamp-mss-to-pmtu': call('iptables --table mangle --append {} --out-interface {} --protocol tcp ' - '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) + '--tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu >&/dev/null'.format(target, intf)) + elif mss: + call('iptables --table mangle --append {} --out-interface {} --protocol tcp ' + '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) # Setup new ip6tables rules if tcp['new_chain6']: @@ -133,9 +136,12 @@ def apply(tcp): continue # adjust TCP MSS per interface - if mss: + if mss == 'clamp-mss-to-pmtu': + call('ip6tables --table mangle --append {} --out-interface {} --protocol tcp ' + '--tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu >&/dev/null'.format(target, intf)) + elif mss: call('ip6tables --table mangle --append {} --out-interface {} --protocol tcp ' - '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) + '--tcp-flags SYN,RST SYN --jump TCPMSS --set-mss {} >&/dev/null'.format(target, intf, mss)) return None -- cgit v1.2.3