From 359ce7f97e9ddd6082391def8f27ccceb31a83ce Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Wed, 31 Dec 2008 19:02:03 +0000 Subject: disable the MSS fixup hack by default (most ISPs don't require this as a workaround for MTU problems, only some do). this should give a nice speedup for routing on standard-compliant ISPs SVN-Revision: 13788 --- package/firewall/files/firewall.config | 5 +++++ package/firewall/files/uci_firewall.sh | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) (limited to 'package/firewall') diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config index e903519..16d688e 100755 --- a/package/firewall/files/firewall.config +++ b/package/firewall/files/firewall.config @@ -21,6 +21,11 @@ config forwarding option src lan option dest wan +## Enable this option if you encounter any MTU problems +## e.g. some websites work, others do not, submitting +## forms causes problems, ... +# option mtu_fix 1 + ### EXAMPLE CONFIG SECTIONS # do not allow a specific ip to access wan diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh index f46a533..41b2b5f 100755 --- a/package/firewall/files/uci_firewall.sh +++ b/package/firewall/files/uci_firewall.sh @@ -41,6 +41,7 @@ create_zone() { config_set $ZONE_LIST $1 1 $IPTABLES -N zone_$1 + $IPTABLES -N zone_$1_MSSFIX $IPTABLES -N zone_$1_ACCEPT $IPTABLES -N zone_$1_DROP $IPTABLES -N zone_$1_REJECT @@ -60,6 +61,7 @@ addif() { [ -n "$dev" -a "$dev" == "$1" ] && return logger "adding $1 to firewall zone $2" $IPTABLES -A input -i $1 -j zone_$2 + $IPTABLES -I zone_$2_MSSFIX 1 -o $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT $IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP $IPTABLES -I zone_$2_REJECT 1 -o $1 -j reject @@ -147,7 +149,6 @@ fw_defaults() { $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A FORWARD -m state --state INVALID -j DROP - $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu $IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT @@ -250,9 +251,11 @@ fw_forwarding() { config_get src $1 src config_get dest $1 dest + config_get_bool mtu_fix $1 mtu_fix 0 [ -n "$src" ] && z_src=zone_${src}_forward || z_src=forward [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT $IPTABLES -I $z_src 1 -j $z_dest + [ "$mtu_fix" -gt 0 -a -n "$dest" ] && $IPTABLES -I $z_src 1 -j zone_${dest}_MSSFIX } fw_redirect() { -- cgit v1.1