From 3f0c737fd8807688b783ce6b82cc3ac53568ab62 Mon Sep 17 00:00:00 2001
From: "bruns@2mbit.com" <bruns@2mbit.com@e5899ace-8841-11de-95b9-8f387cfb8bc3>
Date: Sat, 15 May 2010 17:07:40 +0000
Subject: [PATCH]

---
 ChangeLog       |  1 +
 options.default |  8 +++++++-
 rc.firewall     | 35 ++++++++++++++++++++++++++++++-----
 3 files changed, 38 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d91288b..32feea0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,5 @@
 0.7 - Brielle Bruns <bruns@2mbit.com>
+	- MSS Clamp on IPv6 as well
 	- Beginning support for bogons filtering and updater
 	  script.
 
diff --git a/options.default b/options.default
index 86bccd1..c1858c2 100755
--- a/options.default
+++ b/options.default
@@ -20,7 +20,8 @@ FORWARD=1
 BLOCKINCOMING=1
 
 # Clamp MSS, useful on DSL/VPN links
-#CLAMPMSS=ppp0
+# Space separated list of interfaces to apply this on
+#CLAMPMSS="ppp0 eth0"
 
 # Do we run a LAN DHCP server?
 #LANDHCPSERVER=1
@@ -74,6 +75,11 @@ IPV6BLOCKINCOMING=1
 # Useful if clients do not have proper ipv6 firewalls.
 #IPV6ROUTEDCLIENTBLOCK=1
 
+# Clamp MSS, useful on DSL/VPN links
+# Space separated list of interfaces to apply this on
+# it may be used eventually.
+#CLAMPMSSIPV6="he-ipv6"
+
 # Interface IPv6 comes in on (either tunnel or real network interface)
 #IPV6INT=he-ipv6
 
diff --git a/rc.firewall b/rc.firewall
index a6ccbc2..7807858 100755
--- a/rc.firewall
+++ b/rc.firewall
@@ -46,11 +46,21 @@ fi
 
 if [ $CLAMPMSS ]; then
 	echo "Clamping MSS to PMTU..."
-	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
-		--clamp-mss-to-pmtu
-	iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
-		--clamp-mss-to-pmtu
-
+	for i in $CLAMPMSS; do
+		$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+			--clamp-mss-to-pmtu -o $i --mss 1400:1536
+		$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+			--clamp-mss-to-pmtu -o $i --mss 1400:1536
+		# This is necessary to make sure that PMTU works
+		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
+			-o $i -j ACCEPT
+		$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
+			-i $i -j ACCEPT
+		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
+			-o $i -j ACCEPT
+		$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
+			-i $i -j ACCEPT
+	done
 	#$IPTABLES -t mangle -o $CLAMPMSS -A FORWARD -p tcp \
         #	--tcp-flags SYN,RST SYN -m tcpmss --mss 1400:1536 \
         #	-j TCPMSS --clamp-mss-to-pmtu
@@ -152,10 +162,17 @@ fi
 
 
 
+
+
 if [ $NAT ]; then
 	for i in $NATRANGE; do
 		$IPTABLES -A POSTROUTING -t nat -s $i -o $NATEXTIF -j SNAT --to-source $NATEXTIP
 	done
+	# This is necessary to make sure that PMTU works
+	$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -o $NATEXTIF \
+			-j ACCEPT
+	$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
+			-o $NATEXTIF -j ACCEPT
 fi
 
 $IPTABLES --policy INPUT ACCEPT
@@ -187,6 +204,14 @@ if [ $IPV6 ]; then
 	done
 	echo -ne "\n"
 
+
+	if [ $CLAMPMSSIPV6 ]; then
+        	echo "Clamping IPv6 MSS to PMTU..."
+        	ip6tables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+                	--clamp-mss-to-pmtu
+        	ip6tables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+                --clamp-mss-to-pmtu
+	fi
 	echo -n "Adding allowed IPv6 port: "
 
 	for i in $IPV6TCP; do