From 7d024a324412f4902b9ba212277901bbbe2f949c Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Sun, 21 Apr 2019 13:19:12 +0200
Subject: [firewall] T314: add firewall options for MSS clamping

* clamp MSS IPv4
  set firewall options interface pppoe0 adjust-mss '1452'

* clamp MSS IPv6
  set firewall options interface pppoe0 adjust-mss6 '1452'

* disable entire rule
  set firewall options interface pppoe0 disable

Output
------

  $ sudo iptables-save -t mangle
  # Generated by iptables-save v1.4.21 on Sun Apr 21 12:56:25 2019
  *mangle
  :PREROUTING ACCEPT [1217:439885]
  :INPUT ACCEPT [290:52459]
  :FORWARD ACCEPT [920:375774]
  :OUTPUT ACCEPT [301:100053]
  :POSTROUTING ACCEPT [1221:475827]
  :VYOS_FW_OPTIONS - [0:0]
  -A FORWARD -j VYOS_FW_OPTIONS
  -A VYOS_FW_OPTIONS -o pppoe0 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
  COMMIT
  Completed on Sun Apr 21 12:56:25 2019

(cherry picked from commit 476aa4c3a561ea0ef0bf9b4c26ec8b78d18a5d02)
---
 interface-definitions/firewall-options.xml | 55 ++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 interface-definitions/firewall-options.xml

(limited to 'interface-definitions')

diff --git a/interface-definitions/firewall-options.xml b/interface-definitions/firewall-options.xml
new file mode 100644
index 000000000..2936cc703
--- /dev/null
+++ b/interface-definitions/firewall-options.xml
@@ -0,0 +1,55 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+  <node name="firewall">
+    <children>
+      <node name="options">
+        <properties>
+          <help>Firewall options/Packet manipulation</help>
+          <priority>990</priority>
+        </properties>
+        <children>
+          <tagNode name="interface" owner="sudo ${vyos_conf_scripts_dir}/firewall_options.py">
+            <properties>
+              <help>Interface clamping options</help>
+              <completionHelp>
+                <script>${vyos_completion_dir}/list_interfaces.py</script>
+              </completionHelp>
+            </properties>
+            <children>
+              <leafNode name="disable">
+                <properties>
+                  <help>Disable this rule</help>
+                  <valueless/>
+                </properties>
+              </leafNode>
+              <leafNode name="adjust-mss">
+                <properties>
+                  <help>Adjust MSS for IPv4 transit packets</help>
+                  <valueHelp>
+                    <format>500-1460</format>
+                    <description>TCP Maximum segment size in bytes</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 500-1460"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+              <leafNode name="adjust-mss6">
+                <properties>
+                  <help>Adjust MSS for IPv6 transit packets</help>
+                  <valueHelp>
+                    <format>1280-1492</format>
+                    <description>TCP Maximum segment size in bytes</description>
+                  </valueHelp>
+                  <constraint>
+                    <validator name="numeric" argument="--range 1280-1492"/>
+                  </constraint>
+                </properties>
+              </leafNode>
+            </children>
+          </tagNode>
+        </children>
+      </node>
+    </children>
+  </node>
+</interfaceDefinition>
-- 
cgit v1.2.3