him411/nss-packages-breeze303
1
0
Fork 0
mirror of https://github.com/breeze303/nss-packages.git synced 2025-12-16 16:57:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

qca-nss-ecm: properly setup firewall, init, defaults for 6.1

Browse Source
This commit is contained in:
Qosmio 2024-01-08 17:44:47 -05:00
parent a74fe1cfa1
commit 2c9ffba363
3 changed files with 111 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
qca/qca-nss-ecm/files/qca-nss-ecm.defaults
View File

@ -16,13 +16,19 @@
# #
uci -q batch << EOF uci -q batch << EOF
delete firewall.qcanssecm delete firewall.qcanssecm
set firewall.qcanssecm=include set firewall.qcanssecm=include
set firewall.qcanssecm.type=script set firewall.qcanssecm.type=script
set firewall.qcanssecm.path=/etc/firewall.d/qca-nss-ecm set firewall.qcanssecm.path=/etc/firewall.d/qca-nss-ecm
set firewall.qcanssecm.family=any commit firewall
set firewall.qcanssecm.reload=1
commit firewall
EOF EOF
grep -q "fw3" /etc/init.d/firewall && {
uci -q batch << EOF
set firewall.qcanssecm.family=any
set firewall.qcanssecm.reload=1
commit firewall
EOF
}
exit 0 exit 0

21
qca/qca-nss-ecm/files/qca-nss-ecm.firewall
View File

@ -1,11 +1,14 @@
#!/bin/sh #!/bin/sh
if [ ! -r /sbin/fw4 ]; then
iptables-save|grep physdev-is-bridged|while read a; do if grep -q "fw3" /etc/init.d/firewall; then
iptables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT iptables -nvL | grep -q "Chain RATE-LIMIT" && iptables -F RATE-LIMIT
done iptables -nvL | grep -q "Chain RATE-LIMIT" || iptables -N RATE-LIMIT
iptables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
ip6tables-save|grep physdev-is-bridged|while read a; do iptables -A RATE-LIMIT -j DROP
ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
done elif grep -q "fw4" /etc/init.d/firewall; then
ip6tables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT nft add chain inet fw4 RATE-LIMIT
nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
nft add rule inet fw4 RATE-LIMIT counter drop
nft insert rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
fi fi

167
qca/qca-nss-ecm/files/qca-nss-ecm.init
View File

@ -18,116 +18,121 @@
# openwrt build scripts automatically enable this package starting # openwrt build scripts automatically enable this package starting
# at boot. # at boot.
START=19 START=26
get_front_end_mode() { sysctl_update() {
config_load "ecm" local name value file
config_get front_end global acceleration_engine "auto" name=${1//\//\\/}
value=${2//\//\\/}
case $front_end in file=${3:-/etc/sysctl.d/qca-nss-ecm.conf}
auto) sed -i -e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
echo '0' -e '$a'"${name}"'='"${value}" "${file}"
;; sysctl -w ${name}=${value}
nss)
echo '1'
;;
*)
echo 'uci_option_acceleration_engine is invalid'
esac
} }
support_bridge() { get_front_end_mode() {
# NSS support bridge acceleration config_load "ecm"
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && [ -d /sys/kernel/debug/ecm/ecm_nss_ipv6 ] && return 0 config_get front_end global acceleration_engine "auto"
case $front_end in
auto)
echo '0'
;;
nss)
echo '1'
;;
*)
echo 'uci_option_acceleration_engine is invalid'
esac
} }
enable_bridge_filtering() { enable_bridge_filtering() {
sysctl -w net.bridge.bridge-nf-call-arptables=1 sysctl_update net.bridge.bridge-nf-call-arptables 1
sysctl -w net.bridge.bridge-nf-call-iptables=1 sysctl_update net.bridge.bridge-nf-call-iptables 1
sysctl -w net.bridge.bridge-nf-call-ip6tables=1 sysctl_update net.bridge.bridge-nf-call-ip6tables 1
if ([ -z "$(grep "net.bridge.bridge-nf-call-arptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
[ -z "$(grep "net.bridge.bridge-nf-call-iptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
[ -z "$(grep "net.bridge.bridge-nf-call-ip6tables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] \
); then
echo 'net.bridge.bridge-nf-call-arptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
fi
} }
disable_bridge_filtering() { disable_bridge_filtering() {
sysctl -w net.bridge.bridge-nf-call-arptables=0 sysctl_update net.bridge.bridge-nf-call-arptables 0
sysctl -w net.bridge.bridge-nf-call-iptables=0 sysctl_update net.bridge.bridge-nf-call-iptables 0
sysctl -w net.bridge.bridge-nf-call-ip6tables=0 sysctl_update net.bridge.bridge-nf-call-ip6tables 0
sed '/net.bridge.bridge-nf-call-arptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
sed '/net.bridge.bridge-nf-call-iptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
sed '/net.bridge.bridge-nf-call-ip6tables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
} }
load_ecm() { load_ecm() {
[ -d /sys/module/ecm ] || { [ -d /sys/module/ecm ] || {
insmod ecm front_end_selection=$(get_front_end_mode) insmod ecm front_end_selection="$(get_front_end_mode)"
echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts
} }
support_bridge # Set conntrack event mode to 1 for 6.1 kernel to get the conntrack events from ECM
local kernel_major
kernel_major=$(uname -r |cut -d. -f1)
if [ "$kernel_major" -eq 6 ]; then
echo 1 > /proc/sys/net/netfilter/nf_conntrack_events
fi
} }
unload_ecm() { unload_ecm() {
disable_bridge_filtering disable_bridge_filtering
if [ -d /sys/module/ecm ]; then # Change it back to 6.1 linux's default setting
# local kernel_major
# Stop ECM frontends kernel_major="$(uname -r |cut -d. -f1)"
# if [ "$kernel_major" -eq 6 ]; then
echo 1 > /sys/kernel/debug/ecm/front_end_ipv4_stop echo 2 > /proc/sys/net/netfilter/nf_conntrack_events
echo 1 > /sys/kernel/debug/ecm/front_end_ipv6_stop fi
# if [ -d /sys/module/ecm ]; then
# Defunct the connections #
# # Stop ECM frontends
echo 1 > /sys/kernel/debug/ecm/ecm_db/defunct_all #
sleep 5 echo 1 > /sys/kernel/debug/ecm/front_end_ipv4_stop
echo 1 > /sys/kernel/debug/ecm/front_end_ipv6_stop
rmmod ecm #
sleep 1 # Defunct the connections
fi #
echo 1 > /sys/kernel/debug/ecm/ecm_db/defunct_all
sleep 5
rmmod ecm
sleep 1
fi
} }
start() { start() {
load_ecm load_ecm
# If the acceleration engine is NSS, enable wifi redirect # If the acceleration engine is NSS, enable wifi redirect
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1 [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
# If bridge filtering is enabled, apply and persist the sysctl flags # If bridge filtering is enabled, apply and persist the sysctl flags
local bridge_filtering_enabled="$(uci get ecm.@general[0].enable_bridge_filtering)" local bridge_filtering_enabled
if [ "$bridge_filtering_enabled" -eq 1 ]; then bridge_filtering_enabled="$(uci get ecm.@general[0].enable_bridge_filtering)"
echo "Bridge filtering is enabled in the ECM config, this will cause issues with NAT loopback!" if [ "$bridge_filtering_enabled" -eq 1 ]; then
enable_bridge_filtering echo "Bridge filtering is enabled in the ECM config, this will cause issues with NAT loopback!"
else enable_bridge_filtering
disable_bridge_filtering else
fi disable_bridge_filtering
fi
if [ -d /sys/module/qca_ovsmgr ]; then if [ -d /sys/module/qca_ovsmgr ]; then
insmod ecm_ovs insmod ecm_ovs
fi fi
} }
stop() { stop() {
# If ECM is already not loaded, just return # If ECM is already not loaded, just return
if [ ! -d /sys/module/ecm ]; then if [ ! -d /sys/module/ecm ]; then
return return
fi fi
# If the acceleration engine is NSS, disable wifi redirect # If the acceleration engine is NSS, disable wifi redirect
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=0 [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=0
if [ -d /sys/module/ecm_ovs ]; then if [ -d /sys/module/ecm_ovs ]; then
rmmod ecm_ovs rmmod ecm_ovs
fi fi
unload_ecm unload_ecm
} }