#define C(f, tbl, def, fmt) \
{ FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##def, fmt }
-static const struct fw3_rule_spec default_chains[] = {
+static const struct fw3_chain_spec default_chains[] = {
C(ANY, FILTER, UNSPEC, "delegate_input"),
C(ANY, FILTER, UNSPEC, "delegate_output"),
C(ANY, FILTER, UNSPEC, "delegate_forward"),
C(ANY, MANGLE, UNSPEC, "mssfix"),
C(ANY, MANGLE, UNSPEC, "fwmark"),
- C(ANY, RAW, UNSPEC, "notrack"),
+ C(ANY, RAW, UNSPEC, "delegate_notrack"),
{ }
};
FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst),
FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies),
- FW3_OPT("tcp_ecn", bool, defaults, tcp_ecn),
+ FW3_OPT("tcp_ecn", int, defaults, tcp_ecn),
FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling),
FW3_OPT("accept_redirects", bool, defaults, accept_redirects),
bool reload)
{
struct fw3_defaults *defs = &state->defaults;
- const struct fw3_rule_spec *c;
+ const struct fw3_chain_spec *c;
#define policy(t) \
((t == FW3_FLAG_REJECT) ? FW3_FLAG_DROP : t)
{ FW3_TABLE_MANGLE, "FORWARD", "mssfix" },
{ FW3_TABLE_MANGLE, "PREROUTING", "fwmark" },
- { FW3_TABLE_RAW, "PREROUTING", "notrack" },
+ { FW3_TABLE_RAW, "PREROUTING", "delegate_notrack" },
{ 0, NULL },
};
r = fw3_ipt_rule_new(handle);
fw3_ipt_rule_target(r, tr->target);
- fw3_ipt_rule_append(r, tr->chain);
+ fw3_ipt_rule_replace(r, tr->chain);
}
switch (handle->table)
{
r = fw3_ipt_rule_new(handle);
fw3_ipt_rule_comment(r, "user chain for %s", chains[i+1]);
- fw3_ipt_rule_target(r, chains[i+1]);
+ fw3_ipt_rule_target(r, "%s_rule", chains[i+1]);
fw3_ipt_rule_append(r, chains[i]);
}
}
}
static void
-set_default(const char *name, bool set)
+set_default(const char *name, int set)
{
FILE *f;
char path[sizeof("/proc/sys/net/ipv4/tcp_window_scaling\0")];
{
enum fw3_flag policy = reload ? FW3_FLAG_DROP : FW3_FLAG_ACCEPT;
struct fw3_defaults *defs = &state->defaults;
- const struct fw3_rule_spec *c;
+ const struct fw3_chain_spec *c;
if (!has(defs->flags, handle->family, handle->table))
return;
if (c->table != handle->table)
continue;
- if (c->flag &&
- !hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag))
+ if (c->flag && !has(defs->flags, handle->family, c->flag))
+ continue;
+
+ fw3_ipt_flush_chain(handle, c->format);
+
+ /* keep certain basic chains that do not depend on any settings to
+ avoid purging unrelated user rules pointing to them */
+ if (reload && !c->flag)
continue;
- fw3_ipt_delete_rules(handle, c->format);
fw3_ipt_delete_chain(handle, c->format);
}