Home Explore Help
Register Sign In
OpenWrt
/
openwrt
mirror of https://github.com/openwrt/openwrt.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again

SVN-Revision: 28669
Jo-Philipp Wich 14 years ago
parent
0a84f6a74e
commit
50a22f4f9e
4 changed files with 21 additions and 7 deletions
Split View Show Diff Stats
  1. 1 1
      package/firewall/Makefile
  2. 6 0
      package/firewall/files/lib/core.sh
  3. 11 5
      package/firewall/files/lib/core_init.sh
  4. 3 1
      package/firewall/files/lib/core_interface.sh

+ 1 - 1
package/firewall/Makefile
View File 

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=firewall
 
 
 PKG_VERSION:=2
 
-PKG_RELEASE:=40
 
+PKG_RELEASE:=41
 
 
 include $(INCLUDE_DIR)/package.mk

+ 6 - 0
package/firewall/files/lib/core.sh
View File 

@@ -67,6 +67,12 @@ fw_stop() {
 
 			[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
 
 				INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
 
 		done
 
+
 
+		config_get i core "${z}_tcpmss"
 
+		[ "$i" == 1 ] && {
 
+			fw del i m FORWARD zone_${z}_MSSFIX
 
+			fw del i m zone_${z}_MSSFIX
 
+		}
 
 	done
 
 
 	fw_clear ACCEPT

+ 11 - 5
package/firewall/files/lib/core_init.sh
View File 

@@ -195,7 +195,6 @@ fw_load_zone() {
 
 	fw add $mode f ${chain}_ACCEPT
 
 	fw add $mode f ${chain}_DROP
 
 	fw add $mode f ${chain}_REJECT
 
-	fw add $mode f ${chain}_MSSFIX
 
 
 	# TODO: Rename to ${chain}_input
 
 	fw add $mode f ${chain}
 
@@ -213,8 +212,11 @@ fw_load_zone() {
 
 
 	fw add $mode r ${chain}_notrack
 
 
-	[ $zone_mtu_fix == 1 ] && \
 
-		fw add $mode f FORWARD ${chain}_MSSFIX ^
 
+	[ $zone_mtu_fix == 1 ] && {
 
+		fw add $mode m ${chain}_MSSFIX
 
+		fw add $mode m FORWARD ${chain}_MSSFIX ^
 
+		uci_set_state firewall core ${zone_name}_tcpmss 1
 
+	}
 
 
 	[ $zone_custom_chains == 1 ] && {
 
 		[ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
 
@@ -235,10 +237,14 @@ fw_load_zone() {
 
 			zone_log_limit="$zone_log_limit/minute"
 
 
 		local t
 
-		for t in REJECT DROP MSSFIX; do
 
+		for t in REJECT DROP; do
 
 			fw add $mode f ${chain}_${t} LOG ^ \
 
-				{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): "  }
 
+				{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
 
 		done
 
+
 
+		[ $zone_mtu_fix == 1 ] && \
 
+			fw add $mode m ${chain}_MSSFIX LOG ^ \
 
+				{ -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " }
 
 	}
 
 
 	# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here

+ 3 - 1
package/firewall/files/lib/core_interface.sh
View File 

@@ -96,7 +96,9 @@ fw_configure_interface() {
 
 		fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
 
 		fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }
 
 
-		fw $action $mode f ${chain}_MSSFIX TCPMSS  $ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
 
+		[ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
 
+			fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
 
+				{ -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
 
 
 		fw $action $mode f input   ${chain}         $ { -i "$ifname" $inet }
 
 		fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }