X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=defaults.c;h=11fbf0dd8f74a51e4b2d95fd0bb7e742d65cd8f4;hp=3ea8e37a5caa301914c782a2a486272a3e82f43c;hb=HEAD;hpb=be8ead27f625b3e4ed383f270dcfee2d158231ec diff --git a/defaults.c b/defaults.c index 3ea8e37..11fbf0d 100644 --- a/defaults.c +++ b/defaults.c @@ -54,8 +54,11 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("accept_redirects", bool, defaults, accept_redirects), FW3_OPT("accept_source_route", bool, defaults, accept_source_route), + FW3_OPT("auto_helper", bool, defaults, auto_helper), FW3_OPT("custom_chains", bool, defaults, custom_chains), FW3_OPT("disable_ipv6", bool, defaults, disable_ipv6), + FW3_OPT("flow_offloading", bool, defaults, flow_offloading), + FW3_OPT("flow_offloading_hw", bool, defaults, flow_offloading_hw), FW3_OPT("__flags_v4", int, defaults, flags[0]), FW3_OPT("__flags_v6", int, defaults, flags[1]), @@ -79,6 +82,26 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name) } } +static void +check_offloading(struct uci_element *e, bool *offloading) +{ + FILE *f; + + if (!*offloading) + return; + + f = fopen("/sys/module/xt_FLOWOFFLOAD/refcnt", "r"); + + if (f) + { + fclose(f); + return; + } + + warn_elem(e, "enables offloading but missing kernel support, disabling"); + *offloading = false; +} + void fw3_load_defaults(struct fw3_state *state, struct uci_package *p) { @@ -93,7 +116,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) defs->tcp_syncookies = true; defs->tcp_window_scaling = true; defs->custom_chains = true; - defs->drop_invalid = true; + defs->auto_helper = true; uci_foreach_element(&p->sections, e) { @@ -108,11 +131,14 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) continue; } - fw3_parse_options(&state->defaults, fw3_flag_opts, s); + if(!fw3_parse_options(&state->defaults, fw3_flag_opts, s)) + warn_elem(e, "has invalid options"); check_policy(e, &defs->policy_input, "input"); check_policy(e, &defs->policy_output, "output"); check_policy(e, &defs->policy_forward, "forward"); + + check_offloading(e, &defs->flow_offloading); } } @@ -155,7 +181,7 @@ fw3_print_default_chains(struct fw3_ipt_handle *handle, struct fw3_state *state, continue; if (c->flag && - !hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag)) + !fw3_hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag)) continue; fw3_ipt_create_chain(handle, c->format); @@ -199,12 +225,23 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, for (i = 0; i < ARRAY_SIZE(chains); i += 2) { r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_comment(r, "user chain for %s", chains[i+1]); + fw3_ipt_rule_comment(r, "Custom %s rule chain", chains[i+1]); fw3_ipt_rule_target(r, "%s_rule", chains[i+1]); fw3_ipt_rule_append(r, chains[i]); } } + if (defs->flow_offloading) + { + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_comment(r, "Traffic offloading"); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED"); + fw3_ipt_rule_target(r, "FLOWOFFLOAD"); + if (defs->flow_offloading_hw) + fw3_ipt_rule_addarg(r, false, "--hw", NULL); + fw3_ipt_rule_append(r, "FORWARD"); + } + for (i = 0; i < ARRAY_SIZE(chains); i += 2) { r = fw3_ipt_rule_new(handle); @@ -255,12 +292,12 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, if (defs->custom_chains) { r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_comment(r, "user chain for prerouting"); + fw3_ipt_rule_comment(r, "Custom prerouting rule chain"); fw3_ipt_rule_target(r, "prerouting_rule"); fw3_ipt_rule_append(r, "PREROUTING"); r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_comment(r, "user chain for postrouting"); + fw3_ipt_rule_comment(r, "Custom postrouting rule chain"); fw3_ipt_rule_target(r, "postrouting_rule"); fw3_ipt_rule_append(r, "POSTROUTING"); }