summaryrefslogtreecommitdiff
path: root/firewall/patches
diff options
context:
space:
mode:
authorKarel Kočí <cynerd@email.cz>2021-05-15 13:16:12 +0200
committerKarel Kočí <cynerd@email.cz>2021-05-15 13:16:12 +0200
commit53f535f7ccfeaf191c11350f422b062b68870ae3 (patch)
treeb552c105827df5d35661a83dc325ecdd6e2fa88d /firewall/patches
parentef7468756e2e509c3972b95da934a02173c34a0a (diff)
downloadopenwrt-personal-pkgs-53f535f7ccfeaf191c11350f422b062b68870ae3.tar.gz
openwrt-personal-pkgs-53f535f7ccfeaf191c11350f422b062b68870ae3.tar.bz2
openwrt-personal-pkgs-53f535f7ccfeaf191c11350f422b062b68870ae3.zip
firewall: add to test
Diffstat (limited to 'firewall/patches')
-rw-r--r--firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch33
-rw-r--r--firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch38
-rw-r--r--firewall/patches/0003-Allow-NAT-for-IPv6.patch54
3 files changed, 125 insertions, 0 deletions
diff --git a/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
new file mode 100644
index 0000000..9e23dfd
--- /dev/null
+++ b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
@@ -0,0 +1,33 @@
+From 4a7df7d8c4e40fd2ce0d9f125755249dee17a8bd Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Fri, 24 Jul 2020 12:52:59 +0800
+Subject: [PATCH] zones: apply tcp mss clamping also on ingress path
+
+Fixes FS#3231
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+Acked-by: Jo-Philipp Wich <jo@mein.io>
+(cherry picked from commit e9b90dfac2225927c035f6a76277b850c282dc9a)
+---
+ zones.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/zones.c b/zones.c
+index 01fb706..3d54a76 100644
+--- a/zones.c
++++ b/zones.c
+@@ -552,6 +552,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ fw3_ipt_rule_target(r, "TCPMSS");
+ fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
+ fw3_ipt_rule_replace(r, "FORWARD");
++
++ r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL);
++ fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
++ fw3_ipt_rule_addarg(r, false, "SYN", NULL);
++ fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name);
++ fw3_ipt_rule_target(r, "TCPMSS");
++ fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
++ fw3_ipt_rule_replace(r, "FORWARD");
+ }
+ }
+ else if (handle->table == FW3_TABLE_RAW)
diff --git a/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
new file mode 100644
index 0000000..c7a4593
--- /dev/null
+++ b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
@@ -0,0 +1,38 @@
+From 78d52a28c66ad0fd2af250038fdcf4239ad37bf2 Mon Sep 17 00:00:00 2001
+From: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+Date: Sat, 15 Aug 2020 13:50:27 +0900
+Subject: [PATCH] options: fix parsing of boolean attributes
+
+Boolean attributes were parsed the same way as string attributes,
+so a value of { "bool_attr": "true" } would be parsed correctly, but
+{ "bool_attr": true } (without quotes) was parsed as false.
+
+Fixes FS#3284
+
+Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+---
+ options.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/options.c
++++ b/options.c
+@@ -1170,6 +1170,9 @@ fw3_parse_blob_options(void *s, const st
+ if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
+ snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
+ v = buf;
++ } else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++ snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++ v = buf;
+ } else {
+ v = blobmsg_get_string(e);
+ }
+@@ -1189,6 +1192,9 @@ fw3_parse_blob_options(void *s, const st
+ if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
+ snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
+ v = buf;
++ } else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++ snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++ v = buf;
+ } else {
+ v = blobmsg_get_string(o);
+ }
diff --git a/firewall/patches/0003-Allow-NAT-for-IPv6.patch b/firewall/patches/0003-Allow-NAT-for-IPv6.patch
new file mode 100644
index 0000000..71f50c8
--- /dev/null
+++ b/firewall/patches/0003-Allow-NAT-for-IPv6.patch
@@ -0,0 +1,54 @@
+From c0d53458a7d06e116b6ef8c95b5c0c7a0826a0dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
+Date: Sat, 15 May 2021 13:15:32 +0200
+Subject: [PATCH] Allow NAT for IPv6
+
+---
+ defaults.c | 4 ++--
+ zones.c | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/defaults.c b/defaults.c
+index 7ad4fba..b0b4698 100644
+--- a/defaults.c
++++ b/defaults.c
+@@ -29,8 +29,8 @@ static const struct fw3_chain_spec default_chains[] = {
+ C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
+ C(ANY, FILTER, SYN_FLOOD, "syn_flood"),
+
+- C(V4, NAT, CUSTOM_CHAINS, "prerouting_rule"),
+- C(V4, NAT, CUSTOM_CHAINS, "postrouting_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "prerouting_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "postrouting_rule"),
+
+ { }
+ };
+diff --git a/zones.c b/zones.c
+index 51a8fdf..545ced4 100644
+--- a/zones.c
++++ b/zones.c
+@@ -37,8 +37,8 @@ static const struct fw3_chain_spec zone_chains[] = {
+ C(ANY, FILTER, REJECT, "zone_?_dest_REJECT"),
+ C(ANY, FILTER, DROP, "zone_?_dest_DROP"),
+
+- C(V4, NAT, SNAT, "zone_?_postrouting"),
+- C(V4, NAT, DNAT, "zone_?_prerouting"),
++ C(ANY, NAT, SNAT, "zone_?_postrouting"),
++ C(ANY, NAT, DNAT, "zone_?_prerouting"),
+
+ C(ANY, RAW, HELPER, "zone_?_helper"),
+ C(ANY, RAW, NOTRACK, "zone_?_notrack"),
+@@ -47,8 +47,8 @@ static const struct fw3_chain_spec zone_chains[] = {
+ C(ANY, FILTER, CUSTOM_CHAINS, "output_?_rule"),
+ C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_?_rule"),
+
+- C(V4, NAT, CUSTOM_CHAINS, "prerouting_?_rule"),
+- C(V4, NAT, CUSTOM_CHAINS, "postrouting_?_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "prerouting_?_rule"),
++ C(ANY, NAT, CUSTOM_CHAINS, "postrouting_?_rule"),
+
+ { }
+ };
+--
+2.31.1
+