From b8058fda61b8538010e60363bcf0709172260e2f Mon Sep 17 00:00:00 2001 From: Fedor Kozhevnikov Date: Mon, 21 Mar 2011 17:20:16 -0400 Subject: [PATCH] rc: properly enable/disable BCM fast NAT based on firewall rules --- release/src/router/rc/firewall.c | 38 +++++++++++++++++++++++++++++++++++++- release/src/router/rc/restrict.c | 17 +++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/release/src/router/rc/firewall.c b/release/src/router/rc/firewall.c index 2751d94c43..a611b65f10 100644 --- a/release/src/router/rc/firewall.c +++ b/release/src/router/rc/firewall.c @@ -35,6 +35,9 @@ char lanface[IFNAMSIZ + 1]; char wan6face[IFNAMSIZ + 1]; #endif char lan_cclass[sizeof("xxx.xxx.xxx.") + 1]; +#ifdef LINUX26 +static int can_enable_fastnat; +#endif #ifdef DEBUG_IPTFILE static int debug_only = 0; @@ -70,6 +73,23 @@ struct { // ----------------------------------------------------------------------------- +#ifdef LINUX26 +void enable_fastnat(int enable) +{ + f_write_string("/proc/sys/net/ipv4/netfilter/ip_conntrack_fastnat", + enable ? "1" : "0", 0, 0); +} + +int fastnat_enabled(void) +{ + char v[4]; + + if (f_read_string("/proc/sys/net/ipv4/netfilter/ip_conntrack_fastnat", v, sizeof(v)) > 0) + return atoi(v); + + return 0; +} +#endif void enable_ip_forward(void) { @@ -307,7 +327,12 @@ void ipt_layer7_inbound(void) p = layer7_in; while (*p) { - if (en) ipt_write("-A L7in %s -j RETURN\n", *p); + if (en) { + ipt_write("-A L7in %s -j RETURN\n", *p); +#ifdef LINUX26 + can_enable_fastnat = 0; +#endif + } free(*p); ++p; } @@ -377,6 +402,10 @@ static void ipt_webmon() int ok; if (!nvram_get_int("log_wm")) return; + +#ifdef LINUX26 + can_enable_fastnat = 0; +#endif wmtype = nvram_get_int("log_wmtype"); clear = nvram_get_int("log_wmclear"); @@ -1188,6 +1217,10 @@ int start_firewall(void) strlcpy(wan6face, get_wan6face(), sizeof(wan6face)); #endif +#ifdef LINUX26 + can_enable_fastnat = (nvram_get_int("fastnat_disable") == 0); +#endif + strlcpy(s, nvram_safe_get("lan_ipaddr"), sizeof(s)); if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0; strlcpy(lan_cclass, s, sizeof(lan_cclass)); @@ -1318,6 +1351,9 @@ int start_firewall(void) killall("miniupnpd", SIGUSR2); } +#ifdef LINUX26 + enable_fastnat(can_enable_fastnat); +#endif simple_unlock("restrictions"); sched_restrictions(); enable_ip_forward(); diff --git a/release/src/router/rc/restrict.c b/release/src/router/rc/restrict.c index bcc3dc6f18..71a3eac3c2 100644 --- a/release/src/router/rc/restrict.c +++ b/release/src/router/rc/restrict.c @@ -11,6 +11,10 @@ #define MAX_NRULES 50 +#ifdef LINUX26 +extern void enable_fastnat(int enable); +extern int fastnat_enabled(void); +#endif static inline void unsched_restrictions(void) { @@ -80,6 +84,9 @@ int rcheck_main(int argc, char *argv[]) #ifdef TCONFIG_IPV6 int r6; #endif +#ifdef LINUX26 + int fastnat; +#endif if (!nvram_contains_word("log_events", "acre")) { setlogmask(LOG_MASK(LOG_EMERG)); // can't set to 0 @@ -101,6 +108,10 @@ int rcheck_main(int argc, char *argv[]) now_mins = (tms->tm_hour * 60) + tms->tm_min; } +#ifdef LINUX26 + fastnat = fastnat_enabled() && (nvram_get_int("fastnat_disable") == 0); +#endif + activated = strtoull(nvram_safe_get("rrules_activated"), NULL, 16); count = 0; radio = foreach_wif(0, NULL, radio_on) ? -1 : -2; @@ -138,6 +149,9 @@ int rcheck_main(int argc, char *argv[]) // ignore error above (if any) r = eval("iptables", "-A", "restrict", "-j", buf); +#ifdef LINUX26 + if (r == 0) fastnat = 0; +#endif } #ifdef TCONFIG_IPV6 @@ -192,6 +206,9 @@ int rcheck_main(int argc, char *argv[]) #endif } +#ifdef LINUX26 + enable_fastnat(fastnat); +#endif simple_unlock("restrictions"); return 0; } -- 2.11.4.GIT