qca-nss-ecm: properly setup firewall, init, defaults for 6.1

2025-12-19 09:41:29 +00:00 · 2024-01-08 17:44:47 -05:00 · 2024-01-08 17:44:47 -05:00 · 2c9ffba363
commit 2c9ffba363
parent a74fe1cfa1
3 changed files with 111 additions and 97 deletions
--- a/qca/qca-nss-ecm/files/qca-nss-ecm.defaults
+++ b/qca/qca-nss-ecm/files/qca-nss-ecm.defaults
@ -20,9 +20,15 @@ uci -q batch << EOF
    set firewall.qcanssecm=include
    set firewall.qcanssecm.type=script
    set firewall.qcanssecm.path=/etc/firewall.d/qca-nss-ecm
    commit firewall
 EOF
 grep -q "fw3" /etc/init.d/firewall && {
  uci -q batch << EOF
    set firewall.qcanssecm.family=any
    set firewall.qcanssecm.reload=1
    commit firewall
 EOF
 }
 exit 0
--- a/qca/qca-nss-ecm/files/qca-nss-ecm.firewall
+++ b/qca/qca-nss-ecm/files/qca-nss-ecm.firewall
@ -1,11 +1,14 @@
 #!/bin/sh
-if [ ! -r /sbin/fw4 ]; then
+
-iptables-save|grep physdev-is-bridged|while read a; do
+if grep -q "fw3" /etc/init.d/firewall; then
-	iptables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT
+	iptables -nvL | grep -q "Chain RATE-LIMIT" && iptables -F RATE-LIMIT
-done
+	iptables -nvL | grep -q "Chain RATE-LIMIT" || iptables -N RATE-LIMIT
-iptables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT
+	iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
-ip6tables-save|grep physdev-is-bridged|while read a; do
+	iptables -A RATE-LIMIT -j DROP
-	ip6tables -D FORWARD -m physdev --physdev-is-bridged -j ACCEPT
+	iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
-done
+elif grep -q "fw4" /etc/init.d/firewall; then
-ip6tables -I FORWARD 1 -m physdev --physdev-is-bridged -j ACCEPT
+	nft add chain inet fw4 RATE-LIMIT
 	nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
 	nft add rule inet fw4 RATE-LIMIT counter drop
 	nft insert rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
 fi
--- a/qca/qca-nss-ecm/files/qca-nss-ecm.init
+++ b/qca/qca-nss-ecm/files/qca-nss-ecm.init
@ -18,7 +18,17 @@
 # openwrt build scripts automatically enable this package starting
 # at boot.
-START=19
+START=26
 sysctl_update() {
  local name value file
  name=${1//\//\\/}
  value=${2//\//\\/}
  file=${3:-/etc/sysctl.d/qca-nss-ecm.conf}
  sed -i -e '/^#\?\(\s*'"${name}"'\s*=\s*\).*/{s//\1'"${value}"'/;:a;n;ba;q}' \
    -e '$a'"${name}"'='"${value}" "${file}"
  sysctl -w ${name}=${value}
 }
 get_front_end_mode() {
  config_load "ecm"
@ -36,48 +46,42 @@ get_front_end_mode() {
  esac
 }
 support_bridge() {
 	# NSS support bridge acceleration
 	[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && [ -d /sys/kernel/debug/ecm/ecm_nss_ipv6 ] && return 0
 }
 enable_bridge_filtering() {
-	sysctl -w net.bridge.bridge-nf-call-arptables=1
+  sysctl_update net.bridge.bridge-nf-call-arptables 1
-	sysctl -w net.bridge.bridge-nf-call-iptables=1
+  sysctl_update net.bridge.bridge-nf-call-iptables 1
-	sysctl -w net.bridge.bridge-nf-call-ip6tables=1
+  sysctl_update net.bridge.bridge-nf-call-ip6tables 1
 	if ([ -z "$(grep "net.bridge.bridge-nf-call-arptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
 		[ -z "$(grep "net.bridge.bridge-nf-call-iptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
 		[ -z "$(grep "net.bridge.bridge-nf-call-ip6tables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] \
 	); then
 		echo 'net.bridge.bridge-nf-call-arptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
 		echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
 		echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
 	fi
 }
 disable_bridge_filtering() {
-	sysctl -w net.bridge.bridge-nf-call-arptables=0
+  sysctl_update net.bridge.bridge-nf-call-arptables 0
-	sysctl -w net.bridge.bridge-nf-call-iptables=0
+  sysctl_update net.bridge.bridge-nf-call-iptables 0
-	sysctl -w net.bridge.bridge-nf-call-ip6tables=0
+  sysctl_update net.bridge.bridge-nf-call-ip6tables 0
 	sed '/net.bridge.bridge-nf-call-arptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
 	sed '/net.bridge.bridge-nf-call-iptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
 	sed '/net.bridge.bridge-nf-call-ip6tables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
 }
 load_ecm() {
  [ -d /sys/module/ecm ] || {
-		insmod ecm front_end_selection=$(get_front_end_mode)
+    insmod ecm front_end_selection="$(get_front_end_mode)"
    echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts
  }
-	support_bridge
+  # Set conntrack event mode to 1 for 6.1 kernel to get the conntrack events from ECM
  local kernel_major
  kernel_major=$(uname -r |cut -d. -f1)
  if [ "$kernel_major" -eq 6 ]; then
    echo 1 > /proc/sys/net/netfilter/nf_conntrack_events
  fi
 }
 unload_ecm() {
  disable_bridge_filtering
  # Change it back to 6.1 linux's default setting
  local kernel_major
  kernel_major="$(uname -r |cut -d. -f1)"
  if [ "$kernel_major" -eq 6 ]; then
    echo 2 > /proc/sys/net/netfilter/nf_conntrack_events
  fi
  if [ -d /sys/module/ecm ]; then
    #
    # Stop ECM frontends
@ -103,7 +107,8 @@ start() {
  [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
  # If bridge filtering is enabled, apply and persist the sysctl flags
-	local bridge_filtering_enabled="$(uci get ecm.@general[0].enable_bridge_filtering)"
+  local bridge_filtering_enabled
  bridge_filtering_enabled="$(uci get ecm.@general[0].enable_bridge_filtering)"
  if [ "$bridge_filtering_enabled" -eq 1 ]; then
    echo "Bridge filtering is enabled in the ECM config, this will cause issues with NAT loopback!"
    enable_bridge_filtering