固件改进建议

weeyn

1. 有多线接入时,才定时检测. 或者对各个wan口单独开关
    现在每隔10s就检测一次. 粗暴且武断
2. iptables和nftables混用. 4.8.7仍然存在
3. 当防火墙配置修改后,重启防火墙, 有些规则重复添加
    导致,防火墙有修改只能重启.
4. 修正硬件加速, 前面帖子已提到解决办法.
*. 题外话, 盼望纯op固件

weeyn

修改下面2个文件,移除iptables规则. 适用固件4.8.7
修改/etc/firewall.d/qca-nss-ecm
#iptables -nvL FORWARD | grep -q "physdev" && iptables -Z FORWARD 1
#iptables -nvL FORWARD | grep -q "physdev" || iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

if grep -q "fw3" /etc/init.d/firewall; then
        iptables -nvL | grep -q "Chain RATE-LIMIT" && iptables -F RATE-LIMIT
        iptables -nvL | grep -q "Chain RATE-LIMIT" || iptables -N RATE-LIMIT
        iptables -A RATE-LIMIT --match limit --limit 1000/sec --limit-burst 1000 -j RETURN
        iptables -A RATE-LIMIT -j DROP
        iptables -I zone_wan_forward 5 --match conntrack --ctstate NEW -j RATE-LIMIT
elif grep -q "fw4" /etc/init.d/firewall; then
        nft list chain inet fw4 RATE-LIMxIT > /dev/null 2>&1
        [ $? = 1 ] && {
                nft add chain inet fw4 RATE-LIMIT
                nft add rule inet fw4 RATE-LIMIT limit rate 1000/second burst 1000 packets counter return
                nft add rule inet fw4 RATE-LIMIT counter drop
        }
        nft list chain inet fw4 forward_wan 2>/dev/null | grep -q 'jump RATE-LIMIT' || {
                position=$(nft -a list chain inet fw4 forward_wan|grep 'jump drop_to_wan'|awk '{print $NF}')
                [ -n "$position" ] && {
                        nft insert rule inet fw4 forward_wan handle $position ct state new counter jump RATE-LIMIT
                } || {
                        nft add rule inet fw4 forward_wan ct state new counter jump RATE-LIMIT
                }
        }
fi
修改/usr/bin/gl_block.sh
#!/bin/sh

# shellcheck disable=SC3043

. /lib/functions.sh

add_block_mac()
{
        local mac_list
        ipset flush GL_MAC_BLOCK
        config_get mac_list  block_mac mac
        for i in ${mac_list};do
                # ipset add GL_MAC_BLOCK "$i"
                nft add element inet fw4 GL_MAC_BLOCK { "$i" }
        done
}  

create_ipset_entry()
{       
        # local exist=$(ipset list GL_MAC_BLOCK 2>/dev/null)
        local exist=$(nft list set inet fw4 GL_MAC_BLOCK 2>/dev/null)
        [ -z "$exist" ] && {
                # ipset create GL_MAC_BLOCK hash:mac 2>/dev/null
                nft add set inet fw4 GL_MAC_BLOCK { type ether_addr \; } 2>/dev/null
        }
}

add_firewall()
{
        # iptables -w -C FORWARD -m set --match-set GL_MAC_BLOCK src  -j DROP  2>/dev/null
        # [ ! "$?" = "0" ] && iptables -w -I FORWARD -m set --match-set GL_MAC_BLOCK src  -j DROP
        local exist=$(nft list chain inet fw4 forward 2>/dev/null | grep 'ether saddr @GL_MAC_BLOCK counter')
        [ -z "$exist" ] && {
            position=$(nft -a list chain inet fw4 forward|grep '!fw4: Drop flows with invalid conntrack state'|awk '{print $NF}')
            [ -z "$position" ] && position=$(nft -a list chain inet fw4 forward|grep '!fw4: Allow forwarded established and related flows'|awk '{print $NF}')
            [ -n "$position" ] && nft add rule inet fw4 forward handle $position ether saddr @GL_MAC_BLOCK counter drop || nft insert rule inet fw4 forward ether saddr @GL_MAC_BLOCK counter drop
        }
}

create_ipset_entry
add_firewall
if [ -f /etc/config/gl_block -a ! -e "/etc/config/gl-black_white_list" ];then
        config_load gl_block
        config_foreach add_block_mac
else
        # ipset flush GL_MAC_BLOCK
        nft flush set inet fw4 GL_MAC_BLOCK
fi

搜索整理来自百度.