From 1fd35cfbc0bc46e9d128cf745055513d29f43ec7 Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Sun, 27 Jul 2014 21:41:22 +0000 Subject: [PATCH] Adding new MSS options --- CHANGELOG | 3 ++- etc/ipv4.conf | 4 ++-- etc/ipv4/mss-clamp.conf | 11 ++++++----- etc/ipv6/mss-clamp.conf | 11 ++++++----- lib/iptables.inc | 11 ++++++++--- 5 files changed, 24 insertions(+), 16 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index cf675e7..b99a4c9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,6 @@ -2.01 Alpha 1 - 05/29/2014 +2.01 Alpha 1 - 07/27/2014 - Fix executable bits on .sh files in custom + - Make MSS clamp optional and allow setting MSS size manually 2.00 Release - Add common options for sysctl/proc tweaking of network settings diff --git a/etc/ipv4.conf b/etc/ipv4.conf index 9b4b288..fb4df72 100644 --- a/etc/ipv4.conf +++ b/etc/ipv4.conf @@ -110,12 +110,12 @@ Enablev4NetfilterModules="yes" # Default: nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc # nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre # nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip -# nf_conntrack_broadcast +# nf_conntrack_broadcast nf_conntrack_tftp Loadv4NetfilterModules="nf_conntrack_ftp nf_conntrack_h323 nf_conntrack_irc nf_conntrack_pptp nf_conntrack_proto_dccp nf_conntrack_proto_gre nf_conntrack_proto_sctp nf_conntrack_proto_udplite nf_conntrack_sip nf_conntrack_broadcast nf_conntrack_tftp" # These are loaded as well if you have Enablev4NAT set to yes # Default: nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp -# nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip +# nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip nf_nat_tftp Loadv4NetfilterModulesNAT="nf_nat_ftp nf_nat_h323 nf_nat_irc nf_nat_pptp nf_nat_proto_dccp nf_nat_proto_gre nf_nat_proto_sctp nf_nat_proto_udplite nf_nat_sip nf_nat_tftp" # Default policy for filtering rules diff --git a/etc/ipv4/mss-clamp.conf b/etc/ipv4/mss-clamp.conf index b649f23..da9e009 100644 --- a/etc/ipv4/mss-clamp.conf +++ b/etc/ipv4/mss-clamp.conf @@ -1,13 +1,14 @@ # Interface MSS Clamping # Use this file to set up clamp rules for interfaces # Use tabs or single space to separate -# -# eth0 1454 fwd +# +# eth0 1454 fwd - # # Default MSS size: 1400:1536 # Default Type: out -# You can use '-' as both mss and type, and it will use defaults +# Default Set MSS: none, use clamp +# You can use '-' as both mss, type, and set mss, and it will use defaults # Interface is required. # -# interface mss size type -eth0 - - +# interface mss size type set mss +eth0 - - - diff --git a/etc/ipv6/mss-clamp.conf b/etc/ipv6/mss-clamp.conf index c226a23..da9e009 100644 --- a/etc/ipv6/mss-clamp.conf +++ b/etc/ipv6/mss-clamp.conf @@ -1,13 +1,14 @@ # Interface MSS Clamping # Use this file to set up clamp rules for interfaces # Use tabs or single space to separate -# -# eth0 1454 fwd +# +# eth0 1454 fwd - # # Default MSS size: 1400:1536 # Default Type: out -# You can use '-' as both mss and type, and it will use defaults +# Default Set MSS: none, use clamp +# You can use '-' as both mss, type, and set mss, and it will use defaults # Interface is required. # -# interface mss size type -eth0 - - +# interface mss size type set mss +eth0 - - - diff --git a/lib/iptables.inc b/lib/iptables.inc index a03dd04..743f55c 100644 --- a/lib/iptables.inc +++ b/lib/iptables.inc @@ -172,16 +172,21 @@ function enable_mss_clamp { ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} loading" if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} read ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf successful" - while read -r interface mss type; do + while read -r interface mss type size; do [[ ${interface} = \#* ]] && continue [[ ${interface} = "" ]] && continue + [[ -z ${mss} ]] && mss="-" [[ ${mss} == "-" ]] && mss="1400:1536" + [[ -z ${type} ]] && type="-" [[ ${type} == "-" ]] && type="${OutFilter}" [[ ${type} == "out" ]] && type="${OutFilter}" [[ ${type} == "fwd" ]] && type="${FwdFilter}" - ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type}" + [[ -z ${size} ]] && size="-" + [[ ${size} == "-" ]] && size="--clamp-mss-to-pmtu" + [[ ${size} != "-" ]] && size="--set-mss ${size}" + ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} Read: ${interface} ${mss} ${type} ${size}" ${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ - --clamp-mss-to-pmtu -o ${interface} -m tcpmss --mss ${mss} + ${size} -o ${interface} -m tcpmss --mss ${mss} done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ${debug} ${DebugColor} "${FUNCNAME}:${DEFAULT_COLOR} done"