MSS Clamp move

2010-10-22 02:06:39 +00:00 · 2010-10-22 02:06:39 +00:00 · a178e473d3
parent f21d3adbbf
commit a178e473d3
3 changed files with 26 additions and 22 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+0.9.10 - Brielle Bruns <bruns@2mbit.com>
+	- Move clamp mss up earlier in the rules to possibly
+	  fix an issue I noticed during testing
+
 0.9.9a - Brielle Bruns <bruns@2mbit.com>
 	- Minor bug fixes for my coding errors introduced in
 	  the change of IPv6 variables
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-VERSION=0.9.9a
+VERSION=0.9.10
 TAR=/usr/bin/tar
 TARBALL="firewall-sosdg-$(VERSION).tar.bz2"

--- a/bin/firewall-sosdg
+++ b/bin/firewall-sosdg
@ -18,7 +18,7 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

-FW_VERSION="0.9.9"
+FW_VERSION="0.9.10"

 # These option is here to help pre-1.0 users easily upgrade, defines critical defaults
 # that would otherwise require remaking their options file.  I leave this on by default,
@ -139,6 +139,26 @@ if [ "$TRUSTEDIP" ]; then
 	echo -ne "\n"
 fi

+if [ "$CLAMPMSS" ]; then
+	display_c YELLOW "Clamping MSS to PMTU..."
+	for i in $CLAMPMSS; do
+		$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
+		$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
+		# This is necessary to make sure that PMTU works
+		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
+			-o $i -j ACCEPT
+		$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
+			-i $i -j ACCEPT
+		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
+			-o $i -j ACCEPT
+		$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
+			-i $i -j ACCEPT
+	done
+echo -en "\n"
+fi
+
 if [ "$DNS_REQUESTS_OUT" ]; then
 	display_c YELLOW "Adding DNS reply allows for trusted DNS servers.."
 	for i in $DNS_REQUESTS_OUT; do
@ -262,26 +282,6 @@ if [ -s "$BASEDIR/include/ipv4_custom_mssclamp" ]; then
 	. "$BASEDIR/include/ipv4_custom_mssclamp"
 fi

-if [ "$CLAMPMSS" ]; then
-	display_c YELLOW "Clamping MSS to PMTU..."
-	for i in $CLAMPMSS; do
-		$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
-			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
-		$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
-			--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
-		# This is necessary to make sure that PMTU works
-		$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
-			-o $i -j ACCEPT
-		$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-			-i $i -j ACCEPT
-		$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
-			-o $i -j ACCEPT
-		$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
-			-i $i -j ACCEPT
-	done
-echo -en "\n"
-fi
-

 if [ "$HACK_IPV4" ]; then
 	apply_ipv4_hack $HACK_IPV4