him411/nss-packages-qosmio
1
0
Fork 0
mirror of https://github.com/qosmio/nss-packages.git synced 2025-12-18 09:11:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

qca-nss-ecm: introduce bridge filtering config option

Browse Source 
Issues have been reported with NAT loopback and ECM,
caused by the ECM init script enabling bridge filtering
too early. Introduce a config option to enable bridge
filtering (on by default).
This commit is contained in:
bitthief 2023-02-18 00:02:23 +02:00
parent bffc154981
commit 622f3130b5
2 changed files with 41 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
qca/qca-nss-ecm/files/qca-nss-ecm.init
View File

@ -41,23 +41,42 @@ support_bridge() {
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && [ -d /sys/kernel/debug/ecm/ecm_nss_ipv6 ] && return 0 [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && [ -d /sys/kernel/debug/ecm/ecm_nss_ipv6 ] && return 0
} }
enable_bridge_filtering() {
sysctl -w net.bridge.bridge-nf-call-arptables=1
sysctl -w net.bridge.bridge-nf-call-iptables=1
sysctl -w net.bridge.bridge-nf-call-ip6tables=1
if ([ -z "$(grep "net.bridge.bridge-nf-call-arptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
[ -z "$(grep "net.bridge.bridge-nf-call-iptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && \
[ -z "$(grep "net.bridge.bridge-nf-call-ip6tables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] \
); then
echo 'net.bridge.bridge-nf-call-arptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.d/qca-nss-ecm.conf
fi
}
disable_bridge_filtering() {
sysctl -w net.bridge.bridge-nf-call-arptables=0
sysctl -w net.bridge.bridge-nf-call-iptables=0
sysctl -w net.bridge.bridge-nf-call-ip6tables=0
sed '/net.bridge.bridge-nf-call-arptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
sed '/net.bridge.bridge-nf-call-iptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
sed '/net.bridge.bridge-nf-call-ip6tables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf
}
load_ecm() { load_ecm() {
[ -d /sys/module/ecm ] || { [ -d /sys/module/ecm ] || {
insmod ecm front_end_selection=$(get_front_end_mode) insmod ecm front_end_selection=$(get_front_end_mode)
echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts echo 1 > /sys/kernel/debug/ecm/ecm_classifier_default/accel_delay_pkts
} }
support_bridge && { support_bridge && enable_bridge_filtering
sysctl -w net.bridge.bridge-nf-call-arptables=1
sysctl -w net.bridge.bridge-nf-call-iptables=1
sysctl -w net.bridge.bridge-nf-call-ip6tables=1
}
} }
unload_ecm() { unload_ecm() {
sysctl -w net.bridge.bridge-nf-call-arptables=0 disable_bridge_filtering
sysctl -w net.bridge.bridge-nf-call-iptables=0
sysctl -w net.bridge.bridge-nf-call-ip6tables=0
if [ -d /sys/module/ecm ]; then if [ -d /sys/module/ecm ]; then
# #
@ -83,13 +102,12 @@ start() {
# If the acceleration engine is NSS, enable wifi redirect # If the acceleration engine is NSS, enable wifi redirect
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1 [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=1
support_bridge && { # If bridge filtering is enabled, apply and persist the sysctl flags
if ([ -z "$(grep "net.bridge.bridge-nf-call-iptables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ] && [ -z "$(grep "net.bridge.bridge-nf-call-ip6tables=1" /etc/sysctl.d/qca-nss-ecm.conf)" ]); then local bridge_filtering_enabled="$(uci_get ecm @general[0] enable_bridge_filtering)"
echo 'net.bridge.bridge-nf-call-arptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf if [ "$bridge_filtering_enabled" -eq 1 ]; then
echo 'net.bridge.bridge-nf-call-iptables=1' >> /etc/sysctl.d/qca-nss-ecm.conf echo "Bridge filtering is enabled in the ECM config, this will cause issues with NAT loopback!"
echo 'net.bridge.bridge-nf-call-ip6tables=1' >> /etc/sysctl.d/qca-nss-ecm.conf enable_bridge_filtering
fi fi
}
if [ -d /sys/module/qca_ovsmgr ]; then if [ -d /sys/module/qca_ovsmgr ]; then
insmod ecm_ovs insmod ecm_ovs
@ -105,9 +123,11 @@ stop() {
# If the acceleration engine is NSS, disable wifi redirect # If the acceleration engine is NSS, disable wifi redirect
[ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=0 [ -d /sys/kernel/debug/ecm/ecm_nss_ipv4 ] && sysctl -w dev.nss.general.redirect=0
sed '/net.bridge.bridge-nf-call-arptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf # If bridge filtering is enabled, reset the sysctl flags
sed '/net.bridge.bridge-nf-call-iptables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf local bridge_filtering_enabled="$(uci_get ecm @general[0] enable_bridge_filtering)"
sed '/net.bridge.bridge-nf-call-ip6tables=1/d' -i /etc/sysctl.d/qca-nss-ecm.conf if [ "$bridge_filtering_enabled" -eq 1 ]; then
disable_bridge_filtering
fi
if [ -d /sys/module/ecm_ovs ]; then if [ -d /sys/module/ecm_ovs ]; then
rmmod ecm_ovs rmmod ecm_ovs

3
qca/qca-nss-ecm/files/qca-nss-ecm.uci
View File

@ -1,2 +1,5 @@
config ecm 'global' config ecm 'global'
option acceleration_engine 'auto' option acceleration_engine 'auto'
config general
option enable_bridge_filtering '1'