[PATCH] compile time filter default policy

Fabrice MARIE Wed, 03 Apr 2002 23:32:38 -0800


Hello,


Here comes a small patch to the CVS tree (pom/extra),
that adds the support for compile time choice
of the default policy of the 3 chains of the filter table.

This patch is trivial, and could probably go into
the mainstream kernel, provided that the coreteam find
that useful.

This is like the BSD system where people
can choose to deny by default at compile time.
When the box boot and the network is brough up, no traffic
would be allowed until a proper firewall
policy is implemented (/etc/rc.d/init.d/iptables for RH/MDK/...).
That's also what a lot of people do with FW1, at instalation time).

The kernel patch have been made on a
2.4.19-pre5-jp9, it _should_ (I didn't test on other kernels..)
work on other kernels, I doubt iptable_filter.c
changed since a while..

Have a nice day,

Fabrice.
--
Fabrice MARIE
Senior R&D Engineer
Celestix Networks
http://www.celestix.com/

"Silly hacker, root is for administrators" 
       -Unknown

diff -uNr cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch
--- cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch	Thu Jan  1 07:30:00 1970
+++ netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch	Wed Apr  3 18:54:59 2002
@@ -0,0 +1,50 @@
+--- original/linux/net/ipv4/netfilter/iptable_filter.c	Fri Mar 22 05:20:10 2002
++++ linux/net/ipv4/netfilter/iptable_filter.c	Wed Apr  3 18:11:33 2002
+@@ -50,7 +50,11 @@
+ 		sizeof(struct ipt_standard),
+ 		0, { 0, 0 }, { } },
+ 	      { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
++#ifdef CONFIG_IP_NF_DEFAULT_POLICY_DROP_INPUT
++		-NF_DROP - 1 } },
++#else
+ 		-NF_ACCEPT - 1 } },
++#endif
+ 	    /* FORWARD */
+ 	    { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
+ 		0,
+@@ -58,7 +62,11 @@
+ 		sizeof(struct ipt_standard),
+ 		0, { 0, 0 }, { } },
+ 	      { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
++#ifdef CONFIG_IP_NF_DEFAULT_POLICY_DROP_FORWARD
++		-NF_DROP - 1 } },
++#else
+ 		-NF_ACCEPT - 1 } },
++#endif
+ 	    /* LOCAL_OUT */
+ 	    { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
+ 		0,
+@@ -66,7 +74,11 @@
+ 		sizeof(struct ipt_standard),
+ 		0, { 0, 0 }, { } },
+ 	      { { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
++#ifdef CONFIG_IP_NF_DEFAULT_POLICY_DROP_OUTPUT
++		-NF_DROP - 1 } }
++#else
+ 		-NF_ACCEPT - 1 } }
++#endif
+     },
+     /* ERROR */
+     { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
+@@ -122,7 +134,11 @@
+ };
+ 
+ /* Default to forward because I got too much mail already. */
++#ifdef CONFIG_IP_NF_DEFAULT_POLICY_DROP_FORWARD
++static int forward = NF_DROP;
++#else
+ static int forward = NF_ACCEPT;
++#endif
+ MODULE_PARM(forward, "i");
+ 
+ static int __init init(void)
diff -uNr cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.config.in netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.config.in
--- cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.config.in	Thu Jan  1 07:30:00 1970
+++ netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.config.in	Wed Apr  3 18:59:15 2002
@@ -0,0 +1,4 @@
+comment '  IP: Netfilter Configuration'
+bool '  default policy for INPUT   to be DROP' CONFIG_IP_NF_DEFAULT_POLICY_DROP_INPUT
+bool '  default policy for FORWARD to be DROP' CONFIG_IP_NF_DEFAULT_POLICY_DROP_FORWARD
+bool '  default policy for OUTPUT  to be DROP' CONFIG_IP_NF_DEFAULT_POLICY_DROP_OUTPUT
diff -uNr cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.configure.help netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.configure.help
--- cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.configure.help	Thu Jan  1 07:30:00 1970
+++ netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.configure.help	Wed Apr  3 19:09:16 2002
@@ -0,0 +1,30 @@
+CONFIG_NETFILTER
+Default policy for INPUT
+CONFIG_IP_NF_DEFAULT_POLICY_DROP_INPUT
+  Set this option to 'yes' if you wish the
+  default policy of the INPUT chain of the
+  filter table to be DROP. Set this option
+  to 'no' if you wish to default policy to
+  be ACCEPT.
+
+  If you are unsure, say 'no'.
+
+Default policy for FORWARD
+CONFIG_IP_NF_DEFAULT_POLICY_DROP_FORWARD
+  Set this option to 'yes' if you wish the
+  default policy of the FORWARD chain of the
+  filter table to be DROP. Set this option
+  to 'no' if you wish to default policy to
+  be ACCEPT.
+
+  If you are unsure, say 'no'.
+
+Default policy for OUTPUT
+CONFIG_IP_NF_DEFAULT_POLICY_DROP_OUTPUT
+  Set this option to 'yes' if you wish the
+  default policy of the OUTPUT chain of the
+  filter table to be DROP. Set this option
+  to 'no' if you wish to default policy to
+  be ACCEPT.
+
+  If you are unsure, say 'no'.
diff -uNr cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.help netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.help
--- cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.help	Thu Jan  1 07:30:00 1970
+++ netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.help	Wed Apr  3 20:12:22 2002
@@ -0,0 +1,8 @@
+Author: Fabrice MARIE <[EMAIL PROTECTED]>
+Status: It's works for me.
+
+This patch adds the support for compile time choice
+of the default policy of the 3 chains of the
+'filter' table. This way, you can choose to have
+the default policy of the chains to be DROP by default.
+
diff -uNr cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.makefile netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.makefile
--- cvs/netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.makefile	Thu Jan  1 07:30:00 1970
+++ netfilter/userspace/patch-o-matic/extra/choose_default_policy_filter.patch.makefile	Wed Apr  3 19:12:18 2002
@@ -0,0 +1,10 @@
+obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
+ifdef CONFIG_IP_NF_DEFAULT_POLICY_DROP_INPUT
+        CFLAGS_iptables_filter.o = -DCONFIG_IP_NF_DEFAULT_POLICY_DROP_INPUT
+endif
+ifdef CONFIG_IP_NF_DEFAULT_POLICY_DROP_FORWARD
+        CFLAGS_iptables_filter.o = -DCONFIG_IP_NF_DEFAULT_POLICY_DROP_FORWARD
+endif
+ifdef CONFIG_IP_NF_DEFAULT_POLICY_DROP_OUTPUT
+        CFLAGS_iptables_filter.o = -DCONFIG_IP_NF_DEFAULT_POLICY_DROP_OUTPUT
+endif

[PATCH] compile time filter default policy

Reply via email to