firewall: relocate TCPMSS rules into mangle table, add code to selectively clear them out again

SVN-Revision: 28669
13 years ago · 50a22f4f9e
parent 0a84f6a74e
commit 50a22f4f9e
4 changed files with 21 additions and 7 deletions
--- a/package/firewall/Makefile
+++ b/package/firewall/Makefile
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=firewall

 PKG_VERSION:=2
-PKG_RELEASE:=40
+PKG_RELEASE:=41

 include $(INCLUDE_DIR)/package.mk

--- a/package/firewall/files/lib/core.sh
+++ b/package/firewall/files/lib/core.sh
@ -67,6 +67,12 @@ fw_stop() {
 			[ -n "$i" ] && env -i ACTION=remove ZONE="$z" \
 				INTERFACE="$n" DEVICE="$i" /sbin/hotplug-call firewall
 		done
+
+		config_get i core "${z}_tcpmss"
+		[ "$i" == 1 ] && {
+			fw del i m FORWARD zone_${z}_MSSFIX
+			fw del i m zone_${z}_MSSFIX
+		}
 	done

 	fw_clear ACCEPT
--- a/package/firewall/files/lib/core_init.sh
+++ b/package/firewall/files/lib/core_init.sh
@ -195,7 +195,6 @@ fw_load_zone() {
 	fw add $mode f ${chain}_ACCEPT
 	fw add $mode f ${chain}_DROP
 	fw add $mode f ${chain}_REJECT
-	fw add $mode f ${chain}_MSSFIX

 	# TODO: Rename to ${chain}_input
 	fw add $mode f ${chain}
@ -213,8 +212,11 @@ fw_load_zone() {

 	fw add $mode r ${chain}_notrack

-	[ $zone_mtu_fix == 1 ] && \
-		fw add $mode f FORWARD ${chain}_MSSFIX ^
+	[ $zone_mtu_fix == 1 ] && {
+		fw add $mode m ${chain}_MSSFIX
+		fw add $mode m FORWARD ${chain}_MSSFIX ^
+		uci_set_state firewall core ${zone_name}_tcpmss 1
+	}

 	[ $zone_custom_chains == 1 ] && {
 		[ $FW_ADD_CUSTOM_CHAINS == 1 ] || \
@ -235,10 +237,14 @@ fw_load_zone() {
 			zone_log_limit="$zone_log_limit/minute"

 		local t
-		for t in REJECT DROP MSSFIX; do
+		for t in REJECT DROP; do
 			fw add $mode f ${chain}_${t} LOG ^ \
-				{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): "  }
+				{ -m limit --limit $zone_log_limit --log-prefix "$t($zone_name): " }
 		done
+
+		[ $zone_mtu_fix == 1 ] && \
+			fw add $mode m ${chain}_MSSFIX LOG ^ \
+				{ -m limit --limit $zone_log_limit --log-prefix "MSSFIX($zone_name): " }
 	}

 	# NB: if MASQUERADING for IPv6 becomes available we'll need a family check here
--- a/package/firewall/files/lib/core_interface.sh
+++ b/package/firewall/files/lib/core_interface.sh
@ -96,7 +96,9 @@ fw_configure_interface() {
 		fw $action $mode f ${chain}_REJECT reject $ { -o "$ifname" $onet }
 		fw $action $mode f ${chain}_REJECT reject $ { -i "$ifname" $inet }

-		fw $action $mode f ${chain}_MSSFIX TCPMSS  $ { -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }
+		[ "$(uci_get_state firewall core "${zone}_tcpmss")" == 1 ] && \
+			fw $action $mode m ${chain}_MSSFIX TCPMSS $ \
+				{ -o "$ifname" -p tcp --tcp-flags SYN,RST SYN --clamp-mss-to-pmtu $onet }

 		fw $action $mode f input   ${chain}         $ { -i "$ifname" $inet }
 		fw $action $mode f forward ${chain}_forward $ { -i "$ifname" $inet }