firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again
SVN-Revision: 28669
This commit is contained in:
Jo-Philipp Wich
parent
0a84f6a74e
commit
50a22f4f9e
4 changed files with 21 additions and 7 deletions
|
|
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||
PKG_NAME:=firewall
|
||||
|
||||
PKG_VERSION:=2
|
||||
PKG_RELEASE:=40
|
||||
PKG_RELEASE:=41
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
|
|
|
|||
|
|
@ -67,6 +67,12 @@ fw_stop() {
|
|||
[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
|
||||
INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
|
||||
done
|
||||
|
||||
config_get i core "${z}_tcpmss"
|
||||
[ "$i" == 1 ] && {
|
||||
fw del i m FORWARD zone_${z}_MSSFIX
|
||||
fw del i m zone_${z}_MSSFIX
|
||||
}
|
||||
done
|
||||
|
||||
fw_clear ACCEPT
|
||||
|
|
|
|||
|
|
@ -195,7 +195,6 @@ fw_load_zone() {
|
|||
fw add $mode f ${chain}_ACCEPT
|
||||
fw add $mode f ${chain}_DROP
|
||||
fw add $mode f ${chain}_REJECT
|
||||
fw add $mode f ${chain}_MSSFIX
|
||||
|
||||
# TODO: Rename to ${chain}_input
|
||||
fw add $mode f ${chain}
|
||||
|
|
@ -213,8 +212,11 @@ fw_load_zone() {
|
|||
|
||||
fw add $mode r ${chain}_notrack
|
||||
|
||||
[ $zone_mtu_fix == 1 ] && \
|
||||
fw add $mode f FORWARD ${chain}_MSSFIX ^
|
||||
[ $zone_mtu_fix == 1 ] && {
|
||||
fw add $mode m ${chain}_MSSFIX
|
||||
fw add $mode m FORWARD ${chain}_MSSFIX ^
|
||||
uci_set_state firewall core ${zone_name}_tcpmss 1
|
||||
}
|
||||
|
||||
[ $zone_custom_chains == 1 ] && {
|
||||
[ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
|
||||
|
|
@ -235,10 +237,14 @@ fw_load_zone() {
|
|||
zone_log_limit="$zone_log_limit/minute"
|
||||
|
||||
local t
|
||||
for t in REJECT DROP MSSFIX; do
|
||||
for t in REJECT DROP; do
|
||||
fw add $mode f ${chain}_${t} LOG ^ \
|
||||
{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
|
||||
{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
|
||||
done
|
||||
|
||||
[ $zone_mtu_fix == 1 ] && \
|
||||
fw add $mode m ${chain}_MSSFIX LOG ^ \
|
||||
{ -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " }
|
||||
}
|
||||
|
||||
# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
|
||||
|
|
|
|||
|
|
@ -96,7 +96,9 @@ fw_configure_interface() {
|
|||
fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
|
||||
fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
|
||||
|
||||
fw $action $mode f ${chain}_MSSFIX TCPMSS $ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
|
||||
[ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
|
||||
fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
|
||||
{ -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
|
||||
|
||||
fw $action $mode f input ${chain} $ { -i "$ifname" $inet }
|
||||
fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }
|
||||
|
|
|
|||
Loading…
Reference in a new issue