applications/luci-splash: firewall fixes

diff --git a/applications/luci-splash/root/etc/init.d/luci_splash b/applications/luci-splash/root/etc/init.d/luci_splash
index 85ea8ec..1d6e988 100755 (executable)
--- a/applications/luci-splash/root/etc/init.d/luci_splash
+++ b/applications/luci-splash/root/etc/init.d/luci_splash
@@ -17,10 +17,11 @@ iface_add() {
        [ -n "$netmask" ] || return 0
        
        eval "$(ipcalc.sh $ipaddr $netmask)"
-       
-       iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -p ! tcp -j luci_splash_portal
-       iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -d ! "$ipaddr" -j luci_splash_portal
-       iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -d "$ipaddr" -p tcp -m multiport ! --dport 22,80,443 -j luci_splash_portal
+
+       iptables -t nat -A prerouting_${zone} -j luci_splash_prerouting
+       iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -p ! tcp -j luci_splash_portal
+       iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d ! "$ipaddr" -j luci_splash_portal
+       iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d "$ipaddr" -p tcp -m multiport ! --dport 22,80,443 -j luci_splash_portal
 }
 
 blacklist_add() {
@@ -44,9 +45,9 @@ start() {
        config_load luci_splash
        
        ### Create subchains
-       iptables -t nat -N luci_splash
        iptables -t nat -N luci_splash_portal
        iptables -t nat -N luci_splash_leases
+       iptables -t nat -N luci_splash_prerouting
        
        ### Build the main and portal rule
        config_foreach blacklist_add blacklist
@@ -70,16 +71,26 @@ start() {
        start-stop-daemon -S -b -q -x /usr/bin/luci-splashd
 }
 
-stop() {       
+iface_del() {
+       config_get zone "$1" zone                                                                
+       [ -n "$zone" ] || return 0
+       iptables -t nat -D prerouting_${zone} -j luci_splash_prerouting
+}
+
+stop() {
+       ### Clear interface rules
+       config_load luci_splash
+       config_foreach iface_del iface
+        
        ### Clear subchains
        iptables -t nat -F luci_splash_leases
        iptables -t nat -F luci_splash_portal
-       iptables -t nat -F luci_splash  
+       iptables -t nat -F luci_splash_prerouting
        
        ### Delete subchains
        iptables -t nat -X luci_splash_leases
        iptables -t nat -X luci_splash_portal
-       iptables -t nat -X luci_splash
+       iptables -t nat -X luci_splash_prerouting
 
        ### Stop the splash httpd
        start-stop-daemon -K -q -x /usr/bin/luci-splashd

diff --git a/modules/freifunk/root/etc/firewall.freifunk b/modules/freifunk/root/etc/firewall.freifunk
index 663fc61..c70ac3a 100644 (file)
--- a/modules/freifunk/root/etc/firewall.freifunk
+++ b/modules/freifunk/root/etc/firewall.freifunk
@@ -13,6 +13,8 @@ apply_advanced() {
        local accept_source_route
 
        config_get_bool tcp_ecn $1 tcp_ecn 1
+       config_get ip_conntrack_max $1 ip_conntrack_max
+       config_get_bool tcp_westwood $1 tcp_westwood 0
        config_get_bool tcp_window_scaling $1 tcp_window_scaling 1
        config_get_bool accept_redirects $1 accept_redirects 0
        config_get_bool accept_source_route $1 accept_source_route 0
@@ -24,6 +26,8 @@ apply_advanced() {
 
        sysctl -w net.ipv4.tcp_ecn=$tcp_ecn >/dev/null
        sysctl -w net.ipv4.tcp_window_scaling=$tcp_window_scaling >/dev/null
+       sysctl -w net.ipv4.tcp_westwood=$tcp_westwood >/dev/null
+       sysctl -w net.ipv4.ip_conntrack_max=$ip_conntrack_max >/dev/null
 
        for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
                echo $accept_redirects > $f
@@ -51,3 +55,5 @@ apply_nat_fix() {
 uci_set_state firewall core loaded 1
 config_foreach fw_addif interface
 config_foreach apply_nat_fix interface
+
+[ -x /etc/init.d/luci_splash ] && /etc/init.d/luci_splash start