FW3_OPT("output", target, defaults, policy_output),
FW3_OPT("drop_invalid", bool, defaults, drop_invalid),
+ FW3_OPT("tcp_reject_code", reject_code, defaults, tcp_reject_code),
+ FW3_OPT("any_reject_code", reject_code, defaults, any_reject_code),
FW3_OPT("syn_flood", bool, defaults, syn_flood),
FW3_OPT("synflood_protect", bool, defaults, syn_flood),
FW3_OPT("custom_chains", bool, defaults, custom_chains),
FW3_OPT("disable_ipv6", bool, defaults, disable_ipv6),
FW3_OPT("flow_offloading", bool, defaults, flow_offloading),
+ FW3_OPT("flow_offloading_hw", bool, defaults, flow_offloading_hw),
FW3_OPT("__flags_v4", int, defaults, flags[0]),
FW3_OPT("__flags_v6", int, defaults, flags[1]),
}
static void
-check_offloading(struct uci_element *e, bool *offloading)
+check_kmod(struct uci_element *e, bool *module, const char *name)
{
FILE *f;
+ char buf[128];
- if (!*offloading)
+ if (!*module)
return;
- f = fopen("/sys/module/xt_FLOWOFFLOAD/refcnt", "r");
+ snprintf(buf, sizeof(buf), "/sys/module/%s/refcnt", name);
+
+ f = fopen(buf, "r");
if (f)
{
return;
}
- warn_elem(e, "enables offloading but missing kernel support, disabling");
- *offloading = false;
+ warn_elem(e, "requires not available kernel module %s, disabling", name);
+ *module = false;
+}
+
+static void
+check_any_reject_code(struct uci_element *e, enum fw3_reject_code *any_reject_code)
+{
+ if (*any_reject_code == FW3_REJECT_CODE_TCP_RESET) {
+ warn_elem(e, "tcp-reset not valid for any_reject_code, defaulting to port-unreach");
+ *any_reject_code = FW3_REJECT_CODE_PORT_UNREACH;
+ }
+}
+
+static const char*
+get_reject_code(enum fw3_family family, enum fw3_reject_code reject_code)
+{
+ switch (reject_code) {
+ case FW3_REJECT_CODE_TCP_RESET:
+ return "tcp-reset";
+ case FW3_REJECT_CODE_PORT_UNREACH:
+ return "port-unreach";
+ case FW3_REJECT_CODE_ADM_PROHIBITED:
+ return family == FW3_FAMILY_V6 ? "adm-prohibited": "admin-prohib";
+ default:
+ return "unknown";
+ }
}
void
bool seen = false;
+ defs->tcp_reject_code = FW3_REJECT_CODE_TCP_RESET;
+ defs->any_reject_code = FW3_REJECT_CODE_PORT_UNREACH;
defs->syn_flood_rate.rate = 25;
defs->syn_flood_rate.burst = 50;
defs->tcp_syncookies = true;
check_policy(e, &defs->policy_output, "output");
check_policy(e, &defs->policy_forward, "forward");
- check_offloading(e, &defs->flow_offloading);
+ check_any_reject_code(e, &defs->any_reject_code);
+
+ check_kmod(e, &defs->flow_offloading, "xt_FLOWOFFLOAD");
}
}
fw3_ipt_rule_comment(r, "Traffic offloading");
fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED");
fw3_ipt_rule_target(r, "FLOWOFFLOAD");
+ if (defs->flow_offloading_hw)
+ fw3_ipt_rule_addarg(r, false, "--hw", NULL);
fw3_ipt_rule_append(r, "FORWARD");
}
r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
fw3_ipt_rule_target(r, "REJECT");
- fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
+ fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->tcp_reject_code));
fw3_ipt_rule_append(r, "reject");
r = fw3_ipt_rule_new(handle);
fw3_ipt_rule_target(r, "REJECT");
- fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+ fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->any_reject_code));
fw3_ipt_rule_append(r, "reject");
break;
snprintf(path, sizeof(path), "/proc/sys/net/ipv4/tcp_%s", name);
- info(" * Set tcp_%s to %s", name, set ? "on" : "off", name);
+ info(" * Set tcp_%s to %s", name, set ? "on" : "off");
if (!(f = fopen(path, "w")))
{