Add MSS clamping option

2021-06-25 18:20:06 +00:00 · 2021-06-25 18:20:06 +00:00 · bbcaaa58b6
commit bbcaaa58b6
parent b0aafc5fda
1 changed files with 7 additions and 0 deletions
--- a/firewall.py
+++ b/firewall.py
@ -11,6 +11,7 @@ FQDN = socket.getfqdn()
 DEBUG = os.getenv("DEBUG")
 DISABLE_MASQUERADE = os.getenv("DISABLE_MASQUERADE")
 MONGO_URI = os.getenv("MONGO_URI")
 TCP_MSS_CLAMPING = int(os.getenv("TCP_MSS_CLAMPING", "1452"))
 mongo_uri = pymongo.uri_parser.parse_uri(MONGO_URI)
 ALLOW_MONGO_REPLICA_TRAFFIC = False
@ -71,6 +72,12 @@ def generate_firewall_rules(disabled=False):
    yield "-A OUTPUT -j ACCEPT"
    yield "COMMIT"
    yield "*mangle"
    yield "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN " \
        "-m tcpmss --mss %d:1536 -j TCPMSS --set-mss %d " \
        "-m comment --comment \"MSS clamping\"" % (TCP_MSS_CLAMPING+1, TCP_MSS_CLAMPING)
    yield "COMMIT"
    yield "*nat"
    yield ":PREROUTING ACCEPT [0:0]"
    if disabled: