--- etc/defaults/rc.conf.orig 2014-11-23 11:02:31.000000000 +0700 +++ etc/defaults/rc.conf 2015-02-01 04:17:09.000000000 +0700 @@ -205,6 +205,10 @@ pfsync_syncpeer="" # IP address of pfsync peer host pfsync_ifconfig="" # Additional options to ifconfig(8) for pfsync tcp_extensions="YES" # Set to NO to turn off RFC1323 extensions. +tcpmss_enable="NO" # Set to YES to use ipfw(8) for MSS adjustements +tcpmss_verbose="NO" # Set to YES to enable verbose configuration messages +#tcpmss_instances="555" # Space separated list of ng_tcpmss(4) nodes (netgraph cookies) +#tcpmss_555="1452" # maxMSS value for this ng_tcpmss(4) instance log_in_vain="0" # >=1 to log connects to ports w/o listeners. tcp_keepalive="YES" # Enable stale TCP connection timeout (or NO). tcp_drop_synfin="NO" # Set to YES to drop TCP packets with SYN+FIN --- share/man/man5/rc.conf.5.orig 2014-11-23 11:02:37.000000000 +0700 +++ share/man/man5/rc.conf.5 2015-02-01 04:22:20.000000000 +0700 @@ -1001,8 +1001,62 @@ or other weird behavior. Some network devices are known to be broken with respect to these options. +.It Va tcpmss_enable +.Pq Vt bool +Set to +.Dq Li NO +by default. +Setting this to +.Dq Li YES +enables configuration of +.Xr ng_tcpmss 4 +netgraph nodes to perform custom TCP MSS adjustments using +.Xr ipfw 8 +rules. The +.Va tcpmss_instances +variable must also be set then. Kernel modules +.Xr netgraph 4 , +.Xr ng_ipfw 4 , +and +.Xr ng_tcpmss 4 +will be loaded if the kernel was not built with corresponding +.Cd "options NETGRAPH" , +.Cd "options NETGRAPH_IPFW" , +and +.Cd "options NETGRAPH_TCPMSS" . +.It Va tcpmss_instances +.Pq Vt str +Set to the list of +.Xr ng_tcpmss 4 +instances to configure on this host. Values of the list +are used to form instance names and as netgraph cookies, +so they should be numbers. A +.Va tcpmss_ Ns Aq Ar number +variable is assumed to exist for each value of the list. +The value of this variable is used as +.Va maxMSS +to configure the +.Xr ng_tcpmss 4 +instance. +.Pp +To adjust MSS to corresponding +.Va maxMSS +value configured with +.Va tcpmss_ Ns Aq Ar number +variable +one can use +.Xr ipfw 8 +rules like: +.Pp +netgraph +.Va Ns Aq Ar number +tcp from any to any setup in +.It Va tcpmss_verbose +.Pq Vt bool +Set to +.Dq Li YES +to enable verbose ng_tcpmss(4) configuration messages. .It Va log_in_vain -.Pq Vt int Set to 0 by default. The .Xr sysctl 8 @@ -4714,6 +4768,9 @@ .Xr pfsync 4 , .Xr tcp 4 , .Xr udp 4 , +.Xr netgraph 4 , +.Xr ng_ipfw 4 , +.Xr ng_tcpmss 4 , .Xr exports 5 , .Xr fstab 5 , .Xr ipf 5 , --- etc/rc.d/tcpmss.orig 1970-01-01 07:00:00.000000000 +0700 +++ etc/rc.d/tcpmss 2015-02-01 04:23:34.575436000 +0700 @@ -0,0 +1,75 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +# PROVIDE: tcpmss +# BEFORE: ipfw +# REQUIRE: netif +# KEYWORD: nojail + +. /etc/rc.subr + +name="tcpmss" +rcvar="${name}_enable" +start_cmd="${name}_start" +start_precmd="${name}_prestart" +stop_cmd="${name}_stop" + +tcpmss_prestart() { + [ -n "$1" ] && tcpmss_instances="$1" + [ -z "$tcpmss_instances" ] && return 1 + required_modules="netgraph ng_ipfw ng_tcpmss" +} + +tcpmss_start() +{ + local _i _m _v + + [ -n "$1" ] && tcpmss_instances="$1" + checkyesno tcpmss_verbose && _v=yes + + rc=0 + for _i in $tcpmss_instances + do + # get value of tcpmss_NAME="1452" + eval _m=\"\$tcpmss_${_i}\" + if [ -z "$_m" ]; then + echo "Warning: variable tcpmss_$_i not defined" >&2 + continue + fi + [ -n "$_v" ] && echo -n "Setup ng_tcpmss instance $_i: mss=$_m" + ngctl mkpeer ipfw: tcpmss $_i mss_$_i && ngctl msg ipfw:$_i config \ + '{ inHook="'mss_$_i'" outHook="'mss_$_i'" maxMSS='$_m' }' && \ + ngctl name ipfw:$_i mss_$_i + rc=$(($rc + $?)) + + [ -n "$_v" ] && echo . + done + + return $rc +} + +tcpmss_stop() +{ + local _i _v + + [ -n "$1" ] && tcpmss_instances="$1" + checkyesno tcpmss_verbose && _v=yes + + rc=0 + for _i in $tcpmss_instances + do + [ -n "$_v" ] && echo -n "Shutdown ng_tcpmss instance $_i" + ngctl shutdown mss_${_i}: + rc=$(($rc + $?)) + [ -n "$_v" ] && echo . + done + + return $rc + + kldunload ng_ipfw ng_tcpmss netgraph +} + +load_rc_config $name +run_rc_command "$@"