Begin support of rule cache for quicker loading

master
bbruns 2010-11-25 18:50:55 +00:00
parent ff2cae92ef
commit 415dbaaf19
4 changed files with 26 additions and 9 deletions

View File

@ -4,6 +4,9 @@
now going to be in conf/ now going to be in conf/
- Beginning work on configuration tool. If it ever - Beginning work on configuration tool. If it ever
gets completed is a whole different story. :) gets completed is a whole different story. :)
- Option to use state or conntrack module for state tracking.
By default, use conntrack.
- After some research, we seem to not need NEW state match in FORWARD
0.9.10 - Brielle Bruns <bruns@2mbit.com> 0.9.10 - Brielle Bruns <bruns@2mbit.com>
- Move clamp mss up earlier in the rules to possibly - Move clamp mss up earlier in the rules to possibly

View File

@ -62,6 +62,9 @@ while [ $# -gt 0 ]; do
show_help show_help
exit 0 exit 0
;; ;;
--generate-cache)
GEN_CACHE="force"
;;
esac esac
shift shift
done done
@ -136,6 +139,18 @@ else
C_STATE="--ctstate" C_STATE="--ctstate"
fi fi
if [ "$GEN_CACHE" ]; then
case $GEN_CACHE in
force)
IPTABLES="write_out_rules"
if [ "$IPV6" ]; then
IP6TABLES="write_out_rules"
fi
rm -f "${RULE_CACHE}" &>/dev/null
;;
esac
fi
$IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT
@ -161,15 +176,6 @@ if [ "$CLAMPMSS" ]; then
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \ $IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS \
--clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536 --clamp-mss-to-pmtu -o $i -m tcpmss --mss 1400:1536
# This is necessary to make sure that PMTU works
#$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded \
# -o $i -j ACCEPT
#$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
# -i $i -j ACCEPT
#$IPTABLES -A OUTPUT -p icmp --icmp-type fragmentation-needed \
# -o $i -j ACCEPT
#$IPTABLES -A INPUT -p icmp --icmp-type fragmentation-needed \
# -i $i -j ACCEPT
done done
echo -en "\n" echo -en "\n"
fi fi

View File

@ -163,3 +163,8 @@ function apply_ipv4_hack {
done done
echo -en "\n" echo -en "\n"
} }
# write_out_rules
function write_out_rules {
echo "$*" >> "$RULE_CACHE"
}

View File

@ -59,3 +59,6 @@ RFC1918_SPACE="192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
# By default, use conntrack instead of state # By default, use conntrack instead of state
STATE_TYPE="conntrack" STATE_TYPE="conntrack"
# Where we store output of cached rules
RULE_CACHE=$BASEDIR/cache/ipt-rules