aboutsummaryrefslogtreecommitdiffstats
path: root/package/firewall
diff options
context:
space:
mode:
authorFelix Fietkau <nbd@openwrt.org>2008-12-31 19:02:03 +0000
committerFelix Fietkau <nbd@openwrt.org>2008-12-31 19:02:03 +0000
commit1907e1587aed3911a61a85a1440faf2430b8254e (patch)
tree797165c16ae02bc665da14e281af78f9ce9a73a6 /package/firewall
parent0295253d4faba17a12671c1b1c33afb4436a8d98 (diff)
downloadupstream-1907e1587aed3911a61a85a1440faf2430b8254e.tar.gz
upstream-1907e1587aed3911a61a85a1440faf2430b8254e.tar.bz2
upstream-1907e1587aed3911a61a85a1440faf2430b8254e.zip
disable the MSS fixup hack by default (most ISPs don't require this as a workaround for MTU problems, only some do). this should give a nice speedup for routing on standard-compliant ISPs
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@13788 3c298f89-4303-0410-b956-a3cf2f4a3e73
Diffstat (limited to 'package/firewall')
-rwxr-xr-xpackage/firewall/files/firewall.config5
-rwxr-xr-xpackage/firewall/files/uci_firewall.sh5
2 files changed, 9 insertions, 1 deletions
diff --git a/package/firewall/files/firewall.config b/package/firewall/files/firewall.config
index e9035199fc..16d688e993 100755
--- a/package/firewall/files/firewall.config
+++ b/package/firewall/files/firewall.config
@@ -21,6 +21,11 @@ config forwarding
option src lan
option dest wan
+## Enable this option if you encounter any MTU problems
+## e.g. some websites work, others do not, submitting
+## forms causes problems, ...
+# option mtu_fix 1
+
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
diff --git a/package/firewall/files/uci_firewall.sh b/package/firewall/files/uci_firewall.sh
index f46a533efd..41b2b5f76c 100755
--- a/package/firewall/files/uci_firewall.sh
+++ b/package/firewall/files/uci_firewall.sh
@@ -41,6 +41,7 @@ create_zone() {
config_set $ZONE_LIST $1 1
$IPTABLES -N zone_$1
+ $IPTABLES -N zone_$1_MSSFIX
$IPTABLES -N zone_$1_ACCEPT
$IPTABLES -N zone_$1_DROP
$IPTABLES -N zone_$1_REJECT
@@ -60,6 +61,7 @@ addif() {
[ -n "$dev" -a "$dev" == "$1" ] && return
logger "adding $1 to firewall zone $2"
$IPTABLES -A input -i $1 -j zone_$2
+ $IPTABLES -I zone_$2_MSSFIX 1 -o $1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -I zone_$2_ACCEPT 1 -o $1 -j ACCEPT
$IPTABLES -I zone_$2_DROP 1 -o $1 -j DROP
$IPTABLES -I zone_$2_REJECT 1 -o $1 -j reject
@@ -147,7 +149,6 @@ fw_defaults() {
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
- $IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
@@ -250,9 +251,11 @@ fw_forwarding() {
config_get src $1 src
config_get dest $1 dest
+ config_get_bool mtu_fix $1 mtu_fix 0
[ -n "$src" ] && z_src=zone_${src}_forward || z_src=forward
[ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT
$IPTABLES -I $z_src 1 -j $z_dest
+ [ "$mtu_fix" -gt 0 -a -n "$dest" ] && $IPTABLES -I $z_src 1 -j zone_${dest}_MSSFIX
}
fw_redirect() {