From a802984f89fd53a2f9f4e7c2bfb4a3101b32ac6b Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 8 Dec 2023 03:24:53 +0800 Subject: [PATCH] firewall4: fix adding offloading device Signed-off-by: Tianling Shen (cherry picked from commit 897a98dd6c8472c2565fbf5c740077558eb60517) --- ...rewall4-add-support-for-fullcone-nat.patch | 22 +++++++++---------- .../002-fix-adding-offloading-device.patch | 13 +++++++++++ 2 files changed, 24 insertions(+), 11 deletions(-) create mode 100644 package/network/config/firewall4/patches/002-fix-adding-offloading-device.patch diff --git a/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch b/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch index 39652fc995..9a80563be4 100644 --- a/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch +++ b/package/network/config/firewall4/patches/001-firewall4-add-support-for-fullcone-nat.patch @@ -35,9 +35,9 @@ Renew: ZiMing Mo option name lan --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc -@@ -320,6 +320,12 @@ table inet fw4 { +@@ -327,6 +327,12 @@ table inet fw4 { {% for (let redirect in fw4.redirects(`dstnat_${zone.name}`)): %} - {%+ include("redirect.uc", { fw4, redirect }) %} + {%+ include("redirect.uc", { fw4, zone, redirect }) %} {% endfor %} +{% if (zone.masq && fw4.default_option("fullcone")): %} + {%+ include("zone-fullcone.uc", { fw4, zone, family: 4, direction: "dstnat" }) %} @@ -48,9 +48,9 @@ Renew: ZiMing Mo {% fw4.includes('chain-append', `dstnat_${zone.name}`) %} } -@@ -330,20 +336,26 @@ table inet fw4 { +@@ -337,20 +343,26 @@ table inet fw4 { {% for (let redirect in fw4.redirects(`srcnat_${zone.name}`)): %} - {%+ include("redirect.uc", { fw4, redirect }) %} + {%+ include("redirect.uc", { fw4, zone, redirect }) %} {% endfor %} -{% if (zone.masq): %} +{% if (zone.masq && !fw4.default_option("fullcone")): %} @@ -92,7 +92,7 @@ Renew: ZiMing Mo const fs = require("fs"); const uci = require("uci"); const ubus = require("ubus"); -@@ -490,6 +492,25 @@ function nft_try_hw_offload(devices) { +@@ -489,6 +491,25 @@ function nft_try_hw_offload(devices) { return (rc == 0); } @@ -118,7 +118,7 @@ Renew: ZiMing Mo return { read_kernel_version: function() { -@@ -840,6 +861,18 @@ return { +@@ -832,6 +853,18 @@ return { warn(`[!] ${msg}\n`); }, @@ -137,7 +137,7 @@ Renew: ZiMing Mo get: function(sid, opt) { return this.cursor.get("firewall", sid, opt); }, -@@ -1021,6 +1054,21 @@ return { +@@ -1013,6 +1046,21 @@ return { } }, @@ -159,7 +159,7 @@ Renew: ZiMing Mo parse_policy: function(val) { return this.parse_enum(val, [ "accept", -@@ -1460,6 +1508,7 @@ return { +@@ -1452,6 +1500,7 @@ return { "dnat", "snat", "masquerade", @@ -167,7 +167,7 @@ Renew: ZiMing Mo "accept", "reject", "drop" -@@ -1927,6 +1976,8 @@ return { +@@ -1923,6 +1972,8 @@ return { } let defs = this.parse_options(data, { @@ -176,7 +176,7 @@ Renew: ZiMing Mo input: [ "policy", "drop" ], output: [ "policy", "drop" ], forward: [ "policy", "drop" ], -@@ -1961,6 +2012,11 @@ return { +@@ -1957,6 +2008,11 @@ return { delete defs.syn_flood; @@ -188,7 +188,7 @@ Renew: ZiMing Mo this.state.defaults = defs; }, -@@ -2186,10 +2242,23 @@ return { +@@ -2182,10 +2238,23 @@ return { zone.related_subnets = related_subnets; zone.related_physdevs = related_physdevs; diff --git a/package/network/config/firewall4/patches/002-fix-adding-offloading-device.patch b/package/network/config/firewall4/patches/002-fix-adding-offloading-device.patch new file mode 100644 index 0000000000..5da456ae1c --- /dev/null +++ b/package/network/config/firewall4/patches/002-fix-adding-offloading-device.patch @@ -0,0 +1,13 @@ +--- a/root/usr/share/ucode/fw4.uc ++++ b/root/usr/share/ucode/fw4.uc +@@ -2101,8 +2101,8 @@ return { + }); + } + +- if (net.physdev && !e.invert) +- push(related_physdevs, net.physdev); ++ if (net.up && net.device && !e.invert) ++ push(related_physdevs, net.device); + + push(related_subnets, ...(net.ipaddrs || [])); + }