diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2009-02-20 00:38:37 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2009-02-20 00:38:37 +0000 |
commit | 114aa8d1119568feeccfb669dd22ceaf17d696e8 (patch) | |
tree | da8b6676a454ef8c23d81321a70f15473dc5eb87 | |
parent | 8eb07fa76cc1223e50ebb14714607182e3a66698 (diff) |
applications/luci-splash: firewall fixes
-rwxr-xr-x | applications/luci-splash/root/etc/init.d/luci_splash | 27 | ||||
-rw-r--r-- | modules/freifunk/root/etc/firewall.freifunk | 6 |
2 files changed, 25 insertions, 8 deletions
diff --git a/applications/luci-splash/root/etc/init.d/luci_splash b/applications/luci-splash/root/etc/init.d/luci_splash index 85ea8ecaa..1d6e98814 100755 --- a/applications/luci-splash/root/etc/init.d/luci_splash +++ b/applications/luci-splash/root/etc/init.d/luci_splash @@ -17,10 +17,11 @@ iface_add() { [ -n "$netmask" ] || return 0 eval "$(ipcalc.sh $ipaddr $netmask)" - - iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -p ! tcp -j luci_splash_portal - iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -d ! "$ipaddr" -j luci_splash_portal - iptables -t nat -A zone_${zone}_prerouting -s "$NETWORK/$PREFIX" -d "$ipaddr" -p tcp -m multiport ! --dport 22,80,443 -j luci_splash_portal + + iptables -t nat -A prerouting_${zone} -j luci_splash_prerouting + iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -p ! tcp -j luci_splash_portal + iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d ! "$ipaddr" -j luci_splash_portal + iptables -t nat -A luci_splash_prerouting -s "$NETWORK/$PREFIX" -d "$ipaddr" -p tcp -m multiport ! --dport 22,80,443 -j luci_splash_portal } blacklist_add() { @@ -44,9 +45,9 @@ start() { config_load luci_splash ### Create subchains - iptables -t nat -N luci_splash iptables -t nat -N luci_splash_portal iptables -t nat -N luci_splash_leases + iptables -t nat -N luci_splash_prerouting ### Build the main and portal rule config_foreach blacklist_add blacklist @@ -70,16 +71,26 @@ start() { start-stop-daemon -S -b -q -x /usr/bin/luci-splashd } -stop() { +iface_del() { + config_get zone "$1" zone + [ -n "$zone" ] || return 0 + iptables -t nat -D prerouting_${zone} -j luci_splash_prerouting +} + +stop() { + ### Clear interface rules + config_load luci_splash + config_foreach iface_del iface + ### Clear subchains iptables -t nat -F luci_splash_leases iptables -t nat -F luci_splash_portal - iptables -t nat -F luci_splash + iptables -t nat -F luci_splash_prerouting ### Delete subchains iptables -t nat -X luci_splash_leases iptables -t nat -X luci_splash_portal - iptables -t nat -X luci_splash + iptables -t nat -X luci_splash_prerouting ### Stop the splash httpd start-stop-daemon -K -q -x /usr/bin/luci-splashd diff --git a/modules/freifunk/root/etc/firewall.freifunk b/modules/freifunk/root/etc/firewall.freifunk index 663fc615a..c70ac3a2a 100644 --- a/modules/freifunk/root/etc/firewall.freifunk +++ b/modules/freifunk/root/etc/firewall.freifunk @@ -13,6 +13,8 @@ apply_advanced() { local accept_source_route config_get_bool tcp_ecn $1 tcp_ecn 1 + config_get ip_conntrack_max $1 ip_conntrack_max + config_get_bool tcp_westwood $1 tcp_westwood 0 config_get_bool tcp_window_scaling $1 tcp_window_scaling 1 config_get_bool accept_redirects $1 accept_redirects 0 config_get_bool accept_source_route $1 accept_source_route 0 @@ -24,6 +26,8 @@ apply_advanced() { sysctl -w net.ipv4.tcp_ecn=$tcp_ecn >/dev/null sysctl -w net.ipv4.tcp_window_scaling=$tcp_window_scaling >/dev/null + sysctl -w net.ipv4.tcp_westwood=$tcp_westwood >/dev/null + sysctl -w net.ipv4.ip_conntrack_max=$ip_conntrack_max >/dev/null for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo $accept_redirects > $f @@ -51,3 +55,5 @@ apply_nat_fix() { uci_set_state firewall core loaded 1 config_foreach fw_addif interface config_foreach apply_nat_fix interface + +[ -x /etc/init.d/luci_splash ] && /etc/init.d/luci_splash start |