Skip to content

Instantly share code, notes, and snippets.

@hiroyuki-sato

hiroyuki-sato/gist:37ba4651bb6c4e9ac824

Created May 6, 2014 08:16
Show Gist options
  • Save hiroyuki-sato/37ba4651bb6c4e9ac824 to your computer and use it in GitHub Desktop.
Save hiroyuki-sato/37ba4651bb6c4e9ac824 to your computer and use it in GitHub Desktop.
Download ZIP
TCP-MSS test for VyOS
Raw
gistfile1.md

コマンド

set policy route PPPOE-IN rule 10 destination address 0.0.0.0/0
set policy route PPPOE-IN rule 10 protocol tcp
set policy route PPPOE-IN rule 10 tcp flags 'SYN,!ACK,!FIN,!RST'
set policy route PPPOE-IN rule 10 set tcp-mss 1414
set interface ethernet eth0 policy route PPPOE-IN

/sbin/iptables -L -n -t mangle

root@vyos# /sbin/iptables -L -n -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
VYATTA_FW_IN_HOOK  all  --  0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
VYATTA_FW_OUT_HOOK  all  --  0.0.0.0/0            0.0.0.0/0           

Chain PPPOE-IN (1 references)
target     prot opt source               destination         
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0            /* PPPOE-IN-10 */ tcpflags: 0x17/0x02 TCPMSS set 1414
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            /* PPPOE-IN-10000 default-action accept */

Chain VYATTA_FW_IN_HOOK (1 references)
target     prot opt source               destination         
PPPOE-IN   all  --  0.0.0.0/0            0.0.0.0/0           

Chain VYATTA_FW_OUT_HOOK (1 references)
target     prot opt source               destination         
[edit]

/opt/vyatta/share/vyatta-cfg/templates/policy/route/node.def

tag:
priority: 199

type: txt

syntax:expression: pattern $VAR(@) "^[[:print:]]{1,28}$" ; \
                   "Policy route rule set name must be 28 characters or less"
syntax:expression: pattern $VAR(@) "^[^-]" ; \
                   "Policy route rule set name cannot start with \"-\""
syntax:expression: pattern $VAR(@) "^[^;]*$" ; \
                   "Policy route rule set name cannot contain ';'"
syntax:expression: ! pattern $VAR(@) "^VZONE" ; \
                   "Policy route rule set name cannot start with 'VZONE'"

end: if sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-rules "policy route" "$VAR(@)" ;
     then
       if [ ${COMMIT_ACTION} = 'DELETE' ] ;
       then
          if sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown-ok "policy route" ;
          then
             sudo /opt/vyatta/sbin/vyatta-firewall.pl --teardown "policy route"
          fi
       fi
     else
       exit 1;
     fi
     sudo /opt/vyatta/sbin/vyatta-ipset.pl --action=prune-deleted-sets

create: sudo /opt/vyatta/sbin/vyatta-firewall.pl --setup iptables "policy route"

help: Policy route rule set name
vyos@vyos:/opt/vyatta/share/vyatta-cfg/templates/policy/route/node.tag/rule/node

/opt/vyatta/share/perl5/Vyatta/IpTables/Rule.pm

if (defined($self->{_mod_tcpmss})) {
  # TCP-MSS
  # check for SYN flag
  if (!defined $self->{_tcp_flags} ||
      !(($self->{_tcp_flags} =~ m/SYN/) && !($self->{_tcp_flags} =~ m/!SYN/))) {
    return ('need to set TCP SYN flag to modify TCP MSS', );
  }

  if ($self->{_mod_tcpmss} =~ m/\d/) {
    $rule .= "-j TCPMSS --set-mss $self->{_mod_tcpmss} ";
  } else {
    $rule .= "-j TCPMSS --clamp-mss-to-pmtu ";
  }
  $count++;
}

コマンド

set policy route PPPOE-IN rule 10 destination address 0.0.0.0/0
set policy route PPPOE-IN rule 10 protocol tcp
set policy route PPPOE-IN rule 10 tcp flags 'SYN,!ACK,!FIN,!RST'
set policy route PPPOE-IN rule 10 set tcp-mss 1414
set interface ethernet eth0 policy route PPPOE-IN

sudo /sbin/iptables -L -n -v -t mangle

# /sbin/iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 547 packets, 38076 bytes)
  pkts bytes target     prot opt in     out     source               destination         
  1649  109K VYATTA_FW_IN_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 547 packets, 38076 bytes)
  pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 382 packets, 78200 bytes)
  pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 382 packets, 78200 bytes)
  pkts bytes target     prot opt in     out     source               destination         
  1197  146K VYATTA_FW_OUT_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PPPOE-IN (1 references)
  pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PPPOE-IN-10 */ tcpflags: 0x02/0x02 TCPMSS set 1414
  1037 78393 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PPPOE-IN-10000 default-action accept */

Chain VYATTA_FW_IN_HOOK (1 references)
  pkts bytes target     prot opt in     out     source               destination         
  1037 78393 PPPOE-IN   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain VYATTA_FW_OUT_HOOK (1 references)
  pkts bytes target     prot opt in     out     source               destination

PPPのインターフェースに適用した場合

set interfaces ethernet eth0 pppoe 0 policy route PPPOE-IN

sudo /sbin/iptables -v -L -n -t mangle
Chain PREROUTING (policy ACCEPT 112 packets, 8056 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2339  156K VYATTA_FW_IN_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain INPUT (policy ACCEPT 112 packets, 8056 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 75 packets, 8980 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 75 packets, 8980 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1705  200K VYATTA_FW_OUT_HOOK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain PPPOE-IN (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PPPOE-IN-10 */ tcpflags: 0x02/0x02 TCPMSS set 1414
 1515  115K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* PPPOE-IN-10000 default-action accept */

Chain VYATTA_FW_IN_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 PPPOE-IN   all  --  pppoe0 *       0.0.0.0/0            0.0.0.0/0           
 1515  115K PPPOE-IN   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

Chain VYATTA_FW_OUT_HOOK (1 references)
 pkts bytes target     prot opt in     out     source               destination
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment