firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again
SVN-Revision: 28669
This commit is contained in:
parent
0a84f6a74e
commit
50a22f4f9e
4 changed files with 21 additions and 7 deletions
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
||||||
PKG_NAME:=firewall
|
PKG_NAME:=firewall
|
||||||
|
|
||||||
PKG_VERSION:=2
|
PKG_VERSION:=2
|
||||||
PKG_RELEASE:=40
|
PKG_RELEASE:=41
|
||||||
|
|
||||||
include $(INCLUDE_DIR)/package.mk
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
|
|
@ -67,6 +67,12 @@ fw_stop() {
|
||||||
[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
|
[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
|
||||||
INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
|
INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
|
||||||
done
|
done
|
||||||
|
|
||||||
|
config_get i core "${z}_tcpmss"
|
||||||
|
[ "$i" == 1 ] && {
|
||||||
|
fw del i m FORWARD zone_${z}_MSSFIX
|
||||||
|
fw del i m zone_${z}_MSSFIX
|
||||||
|
}
|
||||||
done
|
done
|
||||||
|
|
||||||
fw_clear ACCEPT
|
fw_clear ACCEPT
|
||||||
|
|
|
@ -195,7 +195,6 @@ fw_load_zone() {
|
||||||
fw add $mode f ${chain}_ACCEPT
|
fw add $mode f ${chain}_ACCEPT
|
||||||
fw add $mode f ${chain}_DROP
|
fw add $mode f ${chain}_DROP
|
||||||
fw add $mode f ${chain}_REJECT
|
fw add $mode f ${chain}_REJECT
|
||||||
fw add $mode f ${chain}_MSSFIX
|
|
||||||
|
|
||||||
# TODO: Rename to ${chain}_input
|
# TODO: Rename to ${chain}_input
|
||||||
fw add $mode f ${chain}
|
fw add $mode f ${chain}
|
||||||
|
@ -213,8 +212,11 @@ fw_load_zone() {
|
||||||
|
|
||||||
fw add $mode r ${chain}_notrack
|
fw add $mode r ${chain}_notrack
|
||||||
|
|
||||||
[ $zone_mtu_fix == 1 ] && \
|
[ $zone_mtu_fix == 1 ] && {
|
||||||
fw add $mode f FORWARD ${chain}_MSSFIX ^
|
fw add $mode m ${chain}_MSSFIX
|
||||||
|
fw add $mode m FORWARD ${chain}_MSSFIX ^
|
||||||
|
uci_set_state firewall core ${zone_name}_tcpmss 1
|
||||||
|
}
|
||||||
|
|
||||||
[ $zone_custom_chains == 1 ] && {
|
[ $zone_custom_chains == 1 ] && {
|
||||||
[ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
|
[ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
|
||||||
|
@ -235,10 +237,14 @@ fw_load_zone() {
|
||||||
zone_log_limit="$zone_log_limit/minute"
|
zone_log_limit="$zone_log_limit/minute"
|
||||||
|
|
||||||
local t
|
local t
|
||||||
for t in REJECT DROP MSSFIX; do
|
for t in REJECT DROP; do
|
||||||
fw add $mode f ${chain}_${t} LOG ^ \
|
fw add $mode f ${chain}_${t} LOG ^ \
|
||||||
{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
|
{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
|
||||||
done
|
done
|
||||||
|
|
||||||
|
[ $zone_mtu_fix == 1 ] && \
|
||||||
|
fw add $mode m ${chain}_MSSFIX LOG ^ \
|
||||||
|
{ -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " }
|
||||||
}
|
}
|
||||||
|
|
||||||
# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
|
# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
|
||||||
|
|
|
@ -96,7 +96,9 @@ fw_configure_interface() {
|
||||||
fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
|
fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
|
||||||
fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
|
fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
|
||||||
|
|
||||||
fw $action $mode f ${chain}_MSSFIX TCPMSS $ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
|
[ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
|
||||||
|
fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
|
||||||
|
{ -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
|
||||||
|
|
||||||
fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
|
fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
|
||||||
fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }
|
fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }
|
||||||
|
|
Loading…
Reference in a new issue