Skip to content

Commit

Permalink
Merge pull request #1338 from jasonlyc/bug_fix
Browse files Browse the repository at this point in the history
improvements to reduce iptables downtime
MelvinTo authored Aug 25, 2024
2 parents ee040a4 + 2afa7a1 commit 6495f62
Showing 2 changed files with 13 additions and 1 deletion.
8 changes: 8 additions & 0 deletions plugins/interface/intf_base_plugin.js
Original file line number Diff line number Diff line change
@@ -761,6 +761,12 @@ class InterfaceBasePlugin extends Plugin {
}
}

async resetConnmark() {
// reset first bit of connmark to make packets of established connections go through iptables filter again
await exec(`sudo conntrack -U -m 0x00000000/0x80000000`).catch((err) => {});
await exec(`sudo conntrack -U -f ipv6 -m 0x00000000/0x80000000`).catch((err) => {});
}

async updateRouteForDNS() {
// TODO: there is no IPv6 DNS currently
const dns = await this.getDNSNameservers();
@@ -892,6 +898,8 @@ class InterfaceBasePlugin extends Plugin {

await this.changeRoutingTables();

await this.resetConnmark();

if (this.isWAN()) {
this._wanStatus = {};
this._wanConnState = this._wanConnState || { ready: true, successCount: OFF_ON_THRESHOLD - 1, failureCount: 0 };
6 changes: 5 additions & 1 deletion scripts/prepare_network_env.sh
Original file line number Diff line number Diff line change
@@ -384,6 +384,8 @@ sudo ip -6 r flush table static

# ------ initialize ip rules
# do not touch ip rules created by Firewalla
# intermediate state of ip rule initializaton may result in wrong routing decision and wrongly accepts a packet that should be blocked, so temporarily suspend packet forward
sudo iptables -w -C FR_FORWARD -m comment --comment "forward temp suspend" -j DROP &> /dev/null || sudo iptables -w -I FR_FORWARD -m comment --comment "forward temp suspend" -j DROP
rules_to_remove=`ip rule list | grep -v -e "^\(5000\|6000\|10000\):" | cut -d: -f2-`;
while IFS= read -r line; do
sudo ip rule del $line
@@ -396,7 +398,9 @@ sudo ip rule add pref 32767 from all lookup default
sudo ip rule add pref 500 from all iif lo lookup global_local
sudo ip rule add pref 4001 from all lookup static
"
sudo iptables -w -D FR_FORWARD -m comment --comment "forward temp suspend" -j DROP

sudo ip6tables -w -C FR_FORWARD -m comment --comment "forward temp suspend" -j DROP &> /dev/null || sudo ip6tables -w -I FR_FORWARD -m comment --comment "forward temp suspend" -j DROP
rules_to_remove=`ip -6 rule list | grep -v -e "^\(5000\|6000\|10000\):" | cut -d: -f2-`;
while IFS= read -r line; do
sudo ip -6 rule del $line
@@ -409,4 +413,4 @@ sudo ip -6 rule add pref 32767 from all lookup default
sudo ip -6 rule add pref 500 from all iif lo lookup global_local
sudo ip -6 rule add pref 4001 from all lookup static
"

sudo ip6tables -w -D FR_FORWARD -m comment --comment "forward temp suspend" -j DROP

0 comments on commit 6495f62

Please sign in to comment.