OpenWrt Forum Archive

While hacking my AR7 I realized that the firewall.init script tooks 8 seconds to load the rules.
So I iptables-saved my firewall and I noticed that iptables-restore it tooks 0.2 seconds.
So, I modified the firewall script so it creates a file for every chain to later resotre it.
This is amazingly fast. The script is unweiled here below:

#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2008 OpenWrt.org

apply_rules()
{
    for i in /tmp/rules.$$.*
    do
        cat $i
        echo COMMIT
    done |iptables-restore
    rm -f /tmp/rules.$$.*
}

chain_policy()
{
    table="$3"
    [ -z "$table" ] && table=filter
    echo ":$1 $2 [0:0]" >> "/tmp/rules.$$.$table"
}

new_chain()
{
    table="$2"
    [ -z "$table" ] && table=filter
    echo ":$1 - [0:0]" >> "/tmp/rules.$$.$table"
}

add_rule()
{
    table="$2"
    [ -z "$table" ] && table=filter
    echo "$1" >> "/tmp/rules.$$.$table"
}

## Please make changes in /etc/firewall.user
START=45
start() {
    include /lib/network
    scan_interfaces
    
    config_get WAN wan ifname
    config_get WANDEV wan device
    config_get LAN lan ifname
    config_get_bool NAT_LAN lan nat 1
    if [ $NAT_LAN -ne 0 ]
    then
        config_get LAN_MASK lan netmask
        config_get LAN_IP lan ipaddr
        LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2)
    fi
    
    ## CLEAR TABLES
    echo '*filter' > /tmp/rules.$$.filter
    echo '*nat' > /tmp/rules.$$.nat

    new_chain input_rule
    new_chain input_wan
    new_chain output_rule
    new_chain input_rule
    new_chain forwarding_rule
    new_chain forwarding_wan


    new_chain prerouting_rule nat
    new_chain prerouting_wan nat
    new_chain postrouting_rule nat

    new_chain LAN_ACCEPT
    [ -z "$WAN" ] || add_rule "-A LAN_ACCEPT -i $WAN -j RETURN"
    [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || add_rule "-A LAN_ACCEPT -i $WANDEV -j RETURN"
    add_rule '-A LAN_ACCEPT -j ACCEPT'
    
    ### INPUT
    ###  (connections with the router as destination)
    
    # base case
    chain_policy INPUT DROP
    add_rule '-A INPUT -m state --state INVALID -j DROP'
    add_rule '-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT'
    add_rule '-A INPUT -p tcp --tcp-flags SYN SYN --tcp-option ! 2 -j  DROP'
    
    #
    # insert accept rule or to jump to new accept-check table here
    #
    add_rule '-A INPUT -j input_rule'
    [ -z "$WAN" ] || add_rule "-A INPUT -i $WAN -j input_wan"
    
    # allow
    add_rule '-A INPUT -j LAN_ACCEPT'    # allow from lan/wifi interfaces 
    add_rule '-A INPUT -p icmp    -j ACCEPT'    # allow ICMP
    add_rule '-A INPUT -p gre    -j ACCEPT'    # allow GRE
    
    # reject (what to do with anything not allowed earlier)
    add_rule '-A INPUT -p tcp -j REJECT --reject-with tcp-reset'
    add_rule '-A INPUT -j REJECT --reject-with icmp-port-unreachable'
    
    ### OUTPUT
    ### (connections with the router as source)
    
    # base case
    chain_policy '-P OUTPUT DROP'
    add_rule '-A OUTPUT -m state --state INVALID -j DROP'
    add_rule '-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT'
    
    #
    # insert accept rule or to jump to new accept-check table here
    #
    add_rule '-A OUTPUT -j output_rule'
    
    # allow
    add_rule '-A OUTPUT -j ACCEPT'        #allow everything out
    
    # reject (what to do with anything not allowed earlier)
    add_rule '-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset'
    add_rule '-A OUTPUT -j REJECT --reject-with icmp-port-unreachable'
    
    ### FORWARDING
    ### (connections routed through the router)
    
    # base case
    chain_policy '-P FORWARD DROP'
    add_rule '-A FORWARD -m state --state INVALID -j DROP'
    add_rule '-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu'
    add_rule '-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT'
    
    #
    # insert accept rule or to jump to new accept-check table here
    #
    add_rule '-A FORWARD -j forwarding_rule'
    [ -z "$WAN" ] || add_rule "-A FORWARD -i $WAN -j forwarding_wan"
    
    # allow
    add_rule "-A FORWARD -i $LAN -o $LAN -j ACCEPT"
    [ -z "$WAN" ] || add_rule "-A FORWARD -i $LAN -o $WAN -j ACCEPT"
    
    # reject (what to do with anything not allowed earlier)
    # uses the default -P DROP
    
    ### MASQ
    add_rule '-A PREROUTING -m state --state NEW -p tcp -j NEW' nat
    add_rule '-A PREROUTING -j prerouting_rule' nat
    [ -z "$WAN" ] || add_rule "-A PREROUTING -i $WAN -j prerouting_wan" nat
    add_rule '-A POSTROUTING -j postrouting_rule'
    ### Only LAN, unless told not to
    if [ $NAT_LAN -ne 0 ]
    then
        [ -z "$WAN" ] || add_rule "-A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE" nat
    fi

    add_rule '-A NEW -m limit --limit 50 --limit-burst 100 -j RETURN' nat && \
        add_rule '-A NEW -j DROP' nat

    ## USER RULES
    # unsupported yet

    apply_rules
}

stop() {
    iptables-restore <<'EOF'
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
EOF
}

As you can see it doesn't differs so much from the original one, but loads way faster.
Please have a look, and remember, it's not intended for regular usage yet, it's an experiment.
I've posted it to trac too: https://dev.openwrt.org/attachment/tick … es-restore

(Last edited by rootkit on 20 Feb 2008, 16:16)