Some cleaner operations in functions, added some debugging info

bin/srfirewall

@@ -76,6 +76,11 @@ fi
 #	exit 2
 #fi
 
+# We can't function without certain cli binaries being available
+if [ ! -x "${GREP}" ]; then
+	${display} RED "Error: grep command not found.  Please define GREP variable in main.conf manually."
+	exit 3
+fi
 
 # Basic sanity tests for ip{6}tables binaries and modules
 if [ ! -x "${IPTABLES}" ] && [ "${EnableIPv4}" == "yes" ] && [ "${DebugOverride}" != "yes" ]; then
@@ -141,11 +146,12 @@ if [ "${EnableIPv4}" == "yes" ]; then
 	# customized by users in their custom rules
 	setup_iptables_chains ipv4
 	
-	if [ "${AllowAllv4Loopback}" == "yes" ]; then allow_all_loopback ipv4; fi
+	[ "${AllowAllv4Loopback}" == "yes" ] && allow_all_loopback ipv4
-	if [ "${EnableTrustedv4Hosts}" == "yes" ]; then allow_trusted_hosts ipv4; fi
+	[ "${EnableTrustedv4Hosts}" == "yes" ] && allow_trusted_hosts ipv4
+	[ "${Enablev4MSSClamp}" == "yes" ] && enable_mss_clamp ipv4
 fi
 
-# Do IPv4 IPTables Rules
+# Do IPv6 IPTables Rules
 if [ "${EnableIPv6}" == "yes" ]; then
 	# First flush all rules
 	iptables_rules_flush ipv6
@@ -154,7 +160,8 @@ if [ "${EnableIPv6}" == "yes" ]; then
 	# customized by users in their custom rules
 	setup_iptables_chains ipv6
 	
-	if [ "${AllowAllv6Loopback}" == "yes" ]; then allow_all_loopback ipv6; fi
+	[ "${AllowAllv6Loopback}" == "yes" ] && allow_all_loopback ipv6
-	if [ "${EnableTrustedv6Hosts}" == "yes" ]; then allow_trusted_hosts ipv6; fi
+	[ "${EnableTrustedv6Hosts}" == "yes" ] && allow_trusted_hosts ipv6
+	[ "${Enablev6MSSClamp}" == "yes" ] && enable_mss_clamp ipv6
 fi
 

etc/ipv4.conf

@@ -14,6 +14,11 @@ AllowAllv4Loopback="yes"
 # IMPORTANT:  Hosts put in the trusted file will have complete
 # and unfettered access to the host, ignoring all other rules.
 #
-# Config file is located in ipv4/trusted.conf
+# Config file: ipv4/trusted.conf
 # Values: no | yes (default)
-EnableTrustedv4Hosts="yes"
+EnableTrustedv4Hosts="yes"
+
+# Enable MSS clamping to work around MTU size issues
+# on network links such as PPPoE and wireless
+# Config file: ipv4/mss-clamp.conf
+Enablev4MSSClamp="yes"

etc/ipv6.conf

@@ -14,6 +14,11 @@ AllowAllv6Loopback="yes"
 # IMPORTANT:  Hosts put in the trusted file will have complete
 # and unfettered access to the host, ignoring all other rules.
 #
-# Config file is located in ipv6/trusted.conf
+# Config file: ipv6/trusted.conf
 # Values: no | yes (default)
-EnableTrustedv6Hosts="yes"
+EnableTrustedv6Hosts="yes"
+
+# Enable MSS clamping to work around MTU size issues
+# on network links such as PPPoE and wireless
+# Config file: ipv6/mss-clamp.conf
+Enablev6MSSClamp="yes"

etc/main.conf

@@ -35,6 +35,10 @@ DebugColor="PURPLE"
 #IPTABLES="/sbin/iptables"
 #IP6TABLES="/sbin/ip6tables"
 
+# Manually override location of grep if needed
+# otherwise detect automatically with 'which'
+#GREP="/usr/bin/grep"
+
 # There are two types of state matches available, old style
 # state matching using '--state' and new style '--ctstate'
 # Values: state | conntrack (default)

lib/binaries.inc

@@ -22,6 +22,7 @@
 MODPROBE=`which modprobe`
 IPTABLES=`which iptables`
 IP6TABLES=`which ip6tables`
+GREP=`which grep`
 
 IP4TablesMod="ip_tables"
 IP6TablesMod="ip6_tables"

lib/iptables.inc

@@ -91,32 +91,32 @@ function setup_iptables_chains {
 	# Set up rules - the order matters - we do it separately here
 	# for easy viewing of order
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/prerun.sh; fi
-	${debug} ${DebugColor} "Setting up InPreRules"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up InPreRules"
 	${VER_IPTABLES} -A INPUT -j ${InPreRules}
-	${debug} ${DebugColor} "Setting up OutPreRules"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up OutPreRules"
 	${VER_IPTABLES} -A OUTPUT -j ${OutPreRules}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/easyblock.sh; fi
-	${debug} ${DebugColor} "Setting up InEasyBlock"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up InEasyBlock"
 	${VER_IPTABLES} -A INPUT -j ${InEasyBlock}
-	${debug} ${DebugColor} "Setting up OutEasyBlock"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up OutEasyBlock"
 	${VER_IPTABLES} -A OUTPUT -j ${OutEasyBlock}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/filter.sh; fi
-	${debug} ${DebugColor} "Setting up InFilter"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up InFilter"
 	${VER_IPTABLES} -A INPUT -j ${InFilter}
-	${debug} ${DebugColor} "Setting up OutFilter"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up OutFilter"
 	${VER_IPTABLES} -A OUTPUT -j ${OutFilter}
-	${debug} ${DebugColor} "Setting up FwdFilter"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up FwdFilter"
 	${VER_IPTABLES} -A FORWARD -j ${FwdFilter}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/nat.sh; fi
-	${debug} ${DebugColor} "Setting up NAT"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up NAT"
 	${VER_IPTABLES} -A POSTROUTING -t nat -j ${NAT}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/portfw.sh; fi
-	${debug} ${DebugColor} "Setting up PortForward"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up PortForward"
 	${VER_IPTABLES} -A PREROUTING -t nat -j ${PortForward}
 	if [ -x ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh ]; then . ${FWCONFIGDIR}/ipv${IPVER}/custom/postrun.sh; fi
-	${debug} ${DebugColor} "Setting up InPostRules"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up InPostRules"
 	${VER_IPTABLES} -A INPUT -j ${InPostRules}
-	${debug} ${DebugColor} "Setting up OutPostRules"
+	${debug} ${DebugColor} "${FUNCNAME}: Setting up OutPostRules"
 	${VER_IPTABLES} -A OUTPUT -j ${OutPostRules}
 }
 
@@ -141,16 +141,43 @@ function allow_trusted_hosts {
 		ipv4|*) VER_IPTABLES=${IPTABLES}
 				IPVER="4" ;;
 	esac
-	${debug} ${DebugColor} "allow_trusted_hosts: loading"
+	${debug} ${DebugColor} "${FUNCNAME}: loading"
 	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf" ]; then
 		for i in `grep -v "\#" "${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"`; do
 			${VER_IPTABLES} -A ${InPreRules} -s $i -j ACCEPT
 			${VER_IPTABLES} -A ${OutPreRules} -d $i -j ACCEPT
 		done
-		${debug} ${DebugColor} "allow_trusted_hosts: done"
+		${debug} ${DebugColor} "${FUNCNAME}: done"
 	else
 		${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/trusted.conf"
 		${display} RED "Error: can not load trusted hosts file."
-		${debug} ${DebugColor} "allow_trusted_hosts: failed"
+		${debug} ${DebugColor} "${FUNCNAME}: failed"
+	fi
+}
+function enable_mss_clamp {
+	IP_VERSION=$1
+		case $IP_VERSION in
+		ipv6) VER_IPTABLES=${IP6TABLES};
+				IPVER="6" ;;
+		ipv4|*) VER_IPTABLES=${IPTABLES}
+				IPVER="4" ;;
+	esac
+	${debug} ${DebugColor} "${FUNCNAME}: loading"
+	if [ -e "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf" ]; then
+	while read -r interface mss type; do
+        [[ ${interface} = \#* ]] && continue
+		[ ${mss} == "-" ] && mss="1400:1536"
+		[ ${type} == "-" ] && type="${OutFilter}"
+		[ ${type} == "out" ] && type="${OutFilter}"
+		[ ${type} == "fwd" ] && type="${FwdFilter}"
+		${VER_IPTABLES} -A ${type} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
+				--clamp-mss-to-pmtu -o $i -m tcpmss --mss ${mss}
+	done < "${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
+
+		${debug} ${DebugColor} "${FUNCNAME}: done"
+	else
+		${display} RED "File Missing: ${FWCONFIGDIR}/ipv${IPVER}/mss-clamp.conf"
+		${display} RED "Error: can not load mss clamp file."
+		${debug} ${DebugColor} "${FUNCNAME}: failed"
 	fi
 }