[package] firewall: fix MSS issue affection RELATED new connections (closes: #5173)

[openwrt/svn-archive/archive.git] / package / firewall / files / uci_firewall.sh

diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index c197003595372804093f10d4ad0c92c42c8b94b4..8418b64d306db4208882fc92fe12fa78b6e3c913 100755 (executable)
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -52,6 +52,7 @@ create_zone() {
        $IPTABLES -N zone_$1_nat -t nat
        $IPTABLES -N zone_$1_prerouting -t nat
        [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$1_nat
+       [ "$7" == "1" ] && $IPTABLES -I FORWARD 1 -j zone_$1_MSSFIX
 }
 
 addif() {
@@ -84,6 +85,7 @@ addif() {
        $IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward
        uci_set_state firewall core "${network}_ifname" "$ifname"
        uci_set_state firewall core "${network}_zone" "$zone"
+       ACTION=add ZONE="$zone" INTERFACE="$network" DEVICE="$ifname" /sbin/hotplug-call firewall
 }
 
 delif() {
@@ -105,6 +107,7 @@ delif() {
        $IPTABLES -D forward -i "$ifname" -j zone_${zone}_forward
        uci_revert_state firewall core "${network}_ifname"
        uci_revert_state firewall core "${network}_zone"
+       ACTION=remove ZONE="$zone" INTERFACE="$network" DEVICE="$ifname" /sbin/hotplug-call firewall
 }
 
 load_synflood() {
@@ -127,6 +130,13 @@ fw_set_chain_policy() {
        $IPTABLES -P $chain $target
 }
 
+fw_clear() {
+       $IPTABLES -F
+       $IPTABLES -t nat -F
+       $IPTABLES -t nat -X
+       $IPTABLES -X
+}
+
 fw_defaults() {
        [ -n "$DEFAULTS_APPLIED" ] && {
                echo "Error: multiple defaults sections detected"
@@ -153,10 +163,7 @@ fw_defaults() {
        $IPTABLES -P OUTPUT DROP
        $IPTABLES -P FORWARD DROP
 
-       $IPTABLES -F
-       $IPTABLES -t nat -F
-       $IPTABLES -t nat -X
-       $IPTABLES -X
+       fw_clear
 
        config_get_bool drop_invalid $1 drop_invalid 1
 
@@ -206,10 +213,12 @@ fw_zone() {
        config_get name $1 name
        config_get network $1 network
        config_get masq $1 masq
+       config_get_bool mtu_fix $1 mtu_fix 0
+
        load_policy $1
 
        [ -z "$network" ] && network=$name
-       create_zone "$name" "$network" "$input" "$output" "$forward" "$masq"
+       create_zone "$name" "$network" "$input" "$output" "$forward" "$masq" "$mtu_fix"
        fw_custom_chains_zone "$name"
 }
 
@@ -280,11 +289,9 @@ fw_forwarding() {
 
        config_get src $1 src
        config_get dest $1 dest
-       config_get_bool mtu_fix $1 mtu_fix 0
        [ -n "$src" ] && z_src=zone_${src}_forward || z_src=forward
        [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT
        $IPTABLES -I $z_src 1 -j $z_dest
-       [ "$mtu_fix" -gt 0 -a -n "$dest" ] && $IPTABLES -I $z_src 1 -j zone_${dest}_MSSFIX
 }
 
 fw_redirect() {
@@ -416,10 +423,7 @@ fw_init() {
 }
 
 fw_stop() {
-       $IPTABLES -F
-       $IPTABLES -t nat -F
-       $IPTABLES -t nat -X
-       $IPTABLES -X
+       fw_clear
        $IPTABLES -P INPUT ACCEPT
        $IPTABLES -P OUTPUT ACCEPT
        $IPTABLES -P FORWARD ACCEPT