Begin support of rule cache for quicker loading
parent
ff2cae92ef
commit
415dbaaf19
|
@ -4,6 +4,9 @@
|
||||||
now going to be in conf/
|
now going to be in conf/
|
||||||
- Beginning work on configuration tool. If it ever
|
- Beginning work on configuration tool. If it ever
|
||||||
gets completed is a whole different story. :)
|
gets completed is a whole different story. :)
|
||||||
|
- Option to use state or conntrack module for state tracking.
|
||||||
|
By default, use conntrack.
|
||||||
|
- After some research, we seem to not need NEW state match in FORWARD
|
||||||
|
|
||||||
0.9.10 - Brielle Bruns <bruns@2mbit.com>
|
0.9.10 - Brielle Bruns <bruns@2mbit.com>
|
||||||
- Move clamp mss up earlier in the rules to possibly
|
- Move clamp mss up earlier in the rules to possibly
|
||||||
|
|
|
@ -62,6 +62,9 @@ while [ $# -gt 0 ]; do
|
||||||
show_help
|
show_help
|
||||||
exit 0
|
exit 0
|
||||||
;;
|
;;
|
||||||
|
--generate-cache)
|
||||||
|
GEN_CACHE="force"
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
shift
|
shift
|
||||||
done
|
done
|
||||||
|
@ -136,6 +139,18 @@ else
|
||||||
C_STATE="--ctstate"
|
C_STATE="--ctstate"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ "$GEN_CACHE" ]; then
|
||||||
|
case $GEN_CACHE in
|
||||||
|
force)
|
||||||
|
IPTABLES="write_out_rules"
|
||||||
|
if [ "$IPV6" ]; then
|
||||||
|
IP6TABLES="write_out_rules"
|
||||||
|
fi
|
||||||
|
rm -f "${RULE_CACHE}" &>/dev/null
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
$IPTABLES -A INPUT -i lo -j ACCEPT
|
$IPTABLES -A INPUT -i lo -j ACCEPT
|
||||||
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
$IPTABLES -A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
|
@ -161,15 +176,6 @@ if [ "$CLAMPMSS" ]; then
|
||||||
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
||||||
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
|
||||||
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
|
||||||
# This is necessary to make sure that PMTU works
|
|
||||||
#$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
|
|
||||||
# -o $i -j ACCEPT
|
|
||||||
#$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
|
|
||||||
# -i $i -j ACCEPT
|
|
||||||
#$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
|
|
||||||
# -o $i -j ACCEPT
|
|
||||||
#$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
|
|
||||||
# -i $i -j ACCEPT
|
|
||||||
done
|
done
|
||||||
echo -en "\n"
|
echo -en "\n"
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -163,3 +163,8 @@ function apply_ipv4_hack {
|
||||||
done
|
done
|
||||||
echo -en "\n"
|
echo -en "\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# write_out_rules
|
||||||
|
function write_out_rules {
|
||||||
|
echo "$*" >> "$RULE_CACHE"
|
||||||
|
}
|
|
@ -59,3 +59,6 @@ RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
|
||||||
|
|
||||||
# By default, use conntrack instead of state
|
# By default, use conntrack instead of state
|
||||||
STATE_TYPE="conntrack"
|
STATE_TYPE="conntrack"
|
||||||
|
|
||||||
|
# Where we store output of cached rules
|
||||||
|
RULE_CACHE=$BASEDIR/cache/ipt-rules
|
||||||
|
|
Loading…
Reference in New Issue