}
static void
-check_kmod(struct uci_element *e, bool *module, const char *name)
+check_target(struct uci_element *e, bool *available, const char *target, const bool ipv6)
{
- FILE *f;
- char buf[128];
-
- if (!*module)
- return;
-
- snprintf(buf, sizeof(buf), "/sys/module/%s/refcnt", name);
-
- f = fopen(buf, "r");
-
- if (f)
+ const bool b = fw3_has_target(ipv6, target);
+ if (!b)
{
- fclose(f);
- return;
+ warn_elem(e, "requires unavailable target extension %s, disabling", target);
}
-
- warn_elem(e, "requires not available kernel module %s, disabling", name);
- *module = false;
+ *available = b;
}
static void
struct uci_element *e;
struct fw3_defaults *defs = &state->defaults;
+ bool flow_offload_avaliable = false;
bool seen = false;
defs->tcp_reject_code = FW3_REJECT_CODE_TCP_RESET;
check_any_reject_code(e, &defs->any_reject_code);
- check_kmod(e, &defs->flow_offloading, "xt_FLOWOFFLOAD");
+ /* exists in both ipv4 and ipv6, if at all, so only check ipv4 */
+ check_target(e, &flow_offload_avaliable, "FLOWOFFLOAD", false);
+
+ if (!flow_offload_avaliable)
+ defs->flow_offloading = false;
}
}
for (c = default_chains; c->format; c++)
{
- /* don't touch user chains on selective stop */
- if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS)
- continue;
-
if (!fw3_is_family(c, handle->family))
continue;
!fw3_hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag))
continue;
- fw3_ipt_create_chain(handle, c->format);
+ fw3_ipt_create_chain(handle, reload, c->format);
}
set(defs->flags, handle->family, handle->table);
{
int i;
struct fw3_defaults *defs = &state->defaults;
- struct fw3_device lodev = { .set = true };
+ struct fw3_device lodev = { .set = true, .name = "lo" };
struct fw3_protocol tcp = { .protocol = 6 };
struct fw3_ipt_rule *r;
{
case FW3_TABLE_FILTER:
- sprintf(lodev.name, "lo");
-
r = fw3_ipt_rule_create(handle, NULL, &lodev, NULL, NULL, NULL);
fw3_ipt_rule_target(r, "ACCEPT");
fw3_ipt_rule_append(r, "INPUT");
set_default(const char *name, int set)
{
FILE *f;
- char path[sizeof("/proc/sys/net/ipv4/tcp_window_scaling\0")];
+ char path[sizeof("/proc/sys/net/ipv4/tcp_window_scaling")];
snprintf(path, sizeof(path), "/proc/sys/net/ipv4/tcp_%s", name);
- info(" * Set tcp_%s to %s", name, set ? "on" : "off", name);
+ info(" * Set tcp_%s to %s", name, set ? "on" : "off");
if (!(f = fopen(path, "w")))
{
fw3_ipt_delete_id_rules(handle, "PREROUTING");
fw3_ipt_delete_id_rules(handle, "POSTROUTING");
+ /* first flush all the rules ... */
for (c = default_chains; c->format; c++)
{
/* don't touch user chains on selective stop */
continue;
fw3_ipt_flush_chain(handle, c->format);
+ }
+
+ /* ... then remove the chains */
+ for (c = default_chains; c->format; c++)
+ {
+ if (!fw3_is_family(c, handle->family))
+ continue;
+
+ if (c->table != handle->table)
+ continue;
- /* keep certain basic chains that do not depend on any settings to
- avoid purging unrelated user rules pointing to them */
- if (reload && !c->flag)
+ if (c->flag && !has(defs->flags, handle->family, c->flag))
continue;
- fw3_ipt_delete_chain(handle, c->format);
+ fw3_ipt_delete_chain(handle, reload, c->format);
}
del(defs->flags, handle->family, handle->table);