firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again

SVN-Revision: 28669
This commit is contained in:
Jo-Philipp Wich 2011-10-29 18:02:45 +00:00
parent 0a84f6a74e
commit 50a22f4f9e
4 changed files with 21 additions and 7 deletions

View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=firewall PKG_NAME:=firewall
PKG_VERSION:=2 PKG_VERSION:=2
PKG_RELEASE:=40 PKG_RELEASE:=41
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk

View file

@ -67,6 +67,12 @@ fw_stop() {
[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \ [ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
done done
config_get i core "${z}_tcpmss"
[ "$i" == 1 ] && {
fw del i m FORWARD zone_${z}_MSSFIX
fw del i m zone_${z}_MSSFIX
}
done done
fw_clear ACCEPT fw_clear ACCEPT

View file

@ -195,7 +195,6 @@ fw_load_zone() {
fw add $mode f ${chain}_ACCEPT fw add $mode f ${chain}_ACCEPT
fw add $mode f ${chain}_DROP fw add $mode f ${chain}_DROP
fw add $mode f ${chain}_REJECT fw add $mode f ${chain}_REJECT
fw add $mode f ${chain}_MSSFIX
# TODO: Rename to ${chain}_input # TODO: Rename to ${chain}_input
fw add $mode f ${chain} fw add $mode f ${chain}
@ -213,8 +212,11 @@ fw_load_zone() {
fw add $mode r ${chain}_notrack fw add $mode r ${chain}_notrack
[ $zone_mtu_fix == 1 ] && \ [ $zone_mtu_fix == 1 ] && {
fw add $mode f FORWARD ${chain}_MSSFIX ^ fw add $mode m ${chain}_MSSFIX
fw add $mode m FORWARD ${chain}_MSSFIX ^
uci_set_state firewall core ${zone_name}_tcpmss 1
}
[ $zone_custom_chains == 1 ] && { [ $zone_custom_chains == 1 ] && {
[ $FW_ADD_CUSTOM_CHAINS == 1 ] || \ [ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
@ -235,10 +237,14 @@ fw_load_zone() {
zone_log_limit="$zone_log_limit/minute" zone_log_limit="$zone_log_limit/minute"
local t local t
for t in REJECT DROP MSSFIX; do for t in REJECT DROP; do
fw add $mode f ${chain}_${t} LOG ^ \ fw add $mode f ${chain}_${t} LOG ^ \
{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " } { -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
done done
[ $zone_mtu_fix == 1 ] && \
fw add $mode m ${chain}_MSSFIX LOG ^ \
{ -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " }
} }
# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here # NB: if MASQUERADING for IPv6 becomes available we'll need a family check here

View file

@ -96,7 +96,9 @@ fw_configure_interface() {
fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet } fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet } fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
fw $action $mode f ${chain}_MSSFIX TCPMSS $ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet } [ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
{ -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
fw $action $mode f input ${chain} $ { -i "$ifname" $inet } fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet } fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }