| Message ID | 20200723040501.89353-1-yszhou4tech@gmail.com |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | [firewall3] zones: apply tcp mss clamping also on ingress path | expand |
Hi Yousong, On 7/23/20 6:05 AM, Yousong Zhou wrote: > Fixes FS#3231 > > Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> > --- > zones.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/zones.c b/zones.c > index 68b02ab..d5e756c 100644 > --- a/zones.c > +++ b/zones.c > @@ -580,6 +580,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, > fw3_ipt_rule_target(r, "TCPMSS"); > fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL); > fw3_ipt_rule_replace(r, "FORWARD"); > + > + r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, NULL, sub); I think this should be r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL); in order to turn -d subnet into -s subnet for the ingress rule. ~ Jo
Hi Jo, On Thu, 23 Jul 2020 at 14:31, Jo-Philipp Wich <jo@mein.io> wrote: > > Hi Yousong, > > > On 7/23/20 6:05 AM, Yousong Zhou wrote: > > Fixes FS#3231 > > > > Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> > > --- > > zones.c | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > diff --git a/zones.c b/zones.c > > index 68b02ab..d5e756c 100644 > > --- a/zones.c > > +++ b/zones.c > > @@ -580,6 +580,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, > > fw3_ipt_rule_target(r, "TCPMSS"); > > fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL); > > fw3_ipt_rule_replace(r, "FORWARD"); > > + > > + r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, NULL, sub); > > I think this should be > > r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL); > > in order to turn -d subnet into -s subnet for the ingress rule. Indeed, now I know that fw zones can be further defined by network cidrs ;) Will send v2. Regards, yousong > > > ~ Jo >
diff --git a/zones.c b/zones.c index 68b02ab..d5e756c 100644 --- a/zones.c +++ b/zones.c @@ -580,6 +580,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, fw3_ipt_rule_target(r, "TCPMSS"); fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL); fw3_ipt_rule_replace(r, "FORWARD"); + + r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, NULL, sub); + fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST"); + fw3_ipt_rule_addarg(r, false, "SYN", NULL); + fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name); + fw3_ipt_rule_target(r, "TCPMSS"); + fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL); + fw3_ipt_rule_replace(r, "FORWARD"); } } else if (handle->table == FW3_TABLE_RAW)
Fixes FS#3231 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> --- zones.c | 8 ++++++++ 1 file changed, 8 insertions(+)