This patch is for firewall/iptables. Most of it is to fix some hush
script problems.
Adds also some SPI rule to firewall script.
diff -ruN package/firewall/files/20-firewall
package-after/firewall/files/20-firewall
--- package/firewall/files/20-firewall 2009-10-06 15:41:25.000000000
+0300
+++ package-after/firewall/files/20-firewall 2009-10-20
13:51:40.000000000 +0300
@@ -4,8 +4,8 @@
[ "$ifname" == "lo" ] && exit 0
load_zones() {
- local name
- local network
+ name=
+ network=
config_get name $1 name
config_get network $1 network
[ -z "$network" ] && network=$name
@@ -20,17 +20,18 @@
[ ifup = "$ACTION" ] && {
for z in $ZONE; do
- local loaded
+ loaded=
config_get loaded core loaded
- [ -n "$loaded" ] && addif "$INTERFACE" "$ifname" "$z"
+ [ -n "$loaded" ] && [ -n "$z" ] && addif "$INTERFACE" "$ifname"
"$z"
done
}
[ ifdown = "$ACTION" ] && {
- local up
- config_get up "$INTERFACE" up
+ up=
for z in $ZONE; do
- [ "$up" == "1" ] && delif "$INTERFACE" "$ifname" "$z"
+ up=
+ config_get up $z up
+ [ "$up" == "1" ] && [ -n "$z" ] && delif "$INTERFACE" "$ifname"
"$z"
done
}
diff -ruN package/firewall/files/uci_firewall.sh
package-after/firewall/files/uci_firewall.sh
--- package/firewall/files/uci_firewall.sh 2009-10-06
15:41:25.000000000 +0300
+++ package-after/firewall/files/uci_firewall.sh 2009-10-20
14:37:52.000000000 +0300
@@ -24,7 +24,7 @@
NOTRACK_DISABLED=
find_item() {
- local item="$1"; shift
+ item="$1"; shift
for i in "$@"; do
[ "$i" = "$item" ] && return 0
done
@@ -42,13 +42,14 @@
}
create_zone() {
- local exists
-
+ exists=
+
[ "$1" == "loopback" ] && return
- config_get exists $ZONE_LIST $1
+ eval_ZONE_LIST=$(eval "echo $ZONE_LIST")
+ config_get exists $eval_ZONE_LIST $1
[ -n "$exists" ] && return
- config_set $ZONE_LIST $1 1
+ config_set $eval_ZONE_LIST $1 1
$IPTABLES -N zone_$1
$IPTABLES -N zone_$1_MSSFIX
@@ -67,11 +68,12 @@
}
addif() {
- local network="$1"
- local ifname="$2"
- local zone="$3"
+ network="$1"
+ ifname="$2"
+ zone="$3"
- local n_if n_zone
+ n_if=
+ n_zone=
config_get n_if core "${network}_ifname"
config_get n_zone core "${network}_zone"
[ -n "$n_zone" ] && {
@@ -101,9 +103,9 @@
}
delif() {
- local network="$1"
- local ifname="$2"
- local zone="$3"
+ network="$1"
+ ifname="$2"
+ zone="$3"
logger "removing $network ($ifname) from firewall zone $zone"
$IPTABLES -D input -i "$ifname" -j zone_$zone
@@ -123,8 +125,8 @@
}
load_synflood() {
- local rate=${1:-25}
- local burst=${2:-50}
+ rate=${1:-25}
+ burst=${2:-50}
echo "Loading synflood protection"
$IPTABLES -N syn_flood
$IPTABLES -A syn_flood -p tcp --syn -m limit --limit $rate/second
--limit-burst $burst -j RETURN
@@ -133,8 +135,8 @@
}
fw_set_chain_policy() {
- local chain=$1
- local target=$2
+ chain=$1
+ target=$2
[ "$target" == "REJECT" ] && {
$IPTABLES -A $chain -j reject
target=DROP
@@ -220,9 +222,9 @@
}
fw_zone() {
- local name
- local network
- local masq
+ name=
+ network=
+ masq=
config_get name $1 name
config_get network $1 network
@@ -238,18 +240,18 @@
}
fw_rule() {
- local src
- local src_ip
- local src_mac
- local src_port
- local src_mac
- local dest
- local dest_ip
- local dest_port
- local proto
- local icmp_type
- local target
- local ruleset
+ src=
+ src_ip=
+ src_mac=
+ src_port=
+ src_mac=
+ dest=
+ dest_ip=
+ dest_port=
+ proto=
+ icmp_type=
+ target=
+ ruleset=
config_get src $1 src
config_get src_ip $1 src_ip
@@ -265,14 +267,18 @@
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
- [ "$src_port_first" -ne "$src_port_last" ] && { \
- src_port="$src_port_first:$src_port_last"; }
+ if [ -n "$src_port_last" ] ; then
+ [ "$src_port_first" -ne "$src_port_last" ] && {
+ src_port="$src_port_first:$src_port_last"; }
+ fi
dest_port_first=${dest_port%-*}
dest_port_last=${dest_port#*-}
- [ "$dest_port_first" -ne "$dest_port_last" ] && { \
- dest_port="$dest_port_first:$dest_port_last"; }
-
+ if [ -n "$dest_port_last" ] ; then
+ [ "$dest_port_first" -ne "$dest_port_last" ] && {
+ dest_port="$dest_port_first:$dest_port_last"; }
+ fi
+
ZONE=input
TARGET=$target
[ -z "$target" ] && target=DROP
@@ -280,15 +286,14 @@
[ -n "$src" -a -n "$dest" ] && ZONE=zone_${src}_forward
[ -n "$dest" ] && TARGET=zone_${dest}_$target
add_rule() {
- $IPTABLES -I $ZONE 1 \
- ${proto:+-p $proto} \
- ${icmp_type:+--icmp-type $icmp_type} \
- ${src_ip:+-s $src_ip} \
- ${src_port:+--sport $src_port} \
- ${src_mac:+-m mac --mac-source $src_mac} \
- ${dest_ip:+-d $dest_ip} \
- ${dest_port:+--dport $dest_port} \
- -j $TARGET
+ PROTO=$(eval "echo \"${proto:+-p $proto}\"")
+ SRC_IP=$(eval "echo \"${src_ip:+-s $src_ip}\"")
+ SRC_PORT=$(eval "echo \"${src_port:+--sport $src_port}\"")
+ SRC_MAC=$(eval "echo \"${src_mac:+-m mac --mac-source $src_mac}\"")
+ DEST_IP=$(eval "echo \"${dest_ip:+-d $dest_ip}\"")
+ DEST_PORT=$(eval "echo \"${dest_port:+--dport $dest_port}\"")
+ $IPTABLES -I $ZONE 1 $PROTO $SRC_IP $SRC_PORT $SRC_MAC $DEST_IP
$DEST_PORT -j $TARGET
+
}
[ "$proto" == "tcpudp" -o -z "$proto" ] && {
proto=tcp
@@ -301,9 +306,9 @@
}
fw_forwarding() {
- local src
- local dest
- local masq
+ src=
+ dest=
+ masq=
config_get src $1 src
config_get dest $1 dest
@@ -317,14 +322,15 @@
}
fw_redirect() {
- local src
- local src_ip
- local src_port
- local src_dport
- local src_mac
- local dest_ip
- local dest_port dest_port2
- local proto
+ src=
+ src_ip=
+ src_port=
+ src_dport=
+ src_mac=
+ dest_ip=
+ dest_port=
+ dest_port2=
+ proto=
config_get src $1 src
config_get src_ip $1 src_ip
@@ -334,42 +340,46 @@
config_get dest_ip $1 dest_ip
config_get dest_port $1 dest_port
config_get proto $1 proto
- [ -z "$src" -o -z "$dest_ip" ] && { \
- echo "redirect needs src and dest_ip"; return ; }
+ [ -z "$src" -o -z "$dest_ip" ] && { echo "redirect needs src and
dest_ip"; return ; }
src_port_first=${src_port%-*}
src_port_last=${src_port#*-}
- [ "$src_port_first" -ne "$src_port_last" ] && { \
- src_port="$src_port_first:$src_port_last"; }
+ if [ -n "$src_port_last" ] ; then
+ [ "$src_port_first" -ne "$src_port_last" ] && {
+ src_port="$src_port_first:$src_port_last"; }
+ fi
src_dport_first=${src_dport%-*}
src_dport_last=${src_dport#*-}
- [ "$src_dport_first" -ne "$src_dport_last" ] && { \
- src_dport="$src_dport_first:$src_dport_last"; }
+ if [ -n "$src_dport_last" ] ; then
+ [ "$src_dport_first" -ne "$src_dport_last" ] && {
+ src_dport="$src_dport_first:$src_dport_last"; }
+ fi
dest_port2=$dest_port
dest_port_first=${dest_port2%-*}
dest_port_last=${dest_port2#*-}
- [ "$dest_port_first" -ne "$dest_port_last" ] && { \
- dest_port2="$dest_port_first:$dest_port_last"; }
+ if [ -n "$dest_port_last" ] ; then
+ [ "$dest_port_first" -ne "$dest_port_last" ] && {
+ dest_port2="$dest_port_first:$dest_port_last"; }
+ fi
add_rule() {
- $IPTABLES -A zone_${src}_prerouting -t nat \
- ${proto:+-p $proto} \
- ${src_ip:+-s $src_ip} \
- ${src_port:+--sport $src_port} \
- ${src_dport:+--dport $src_dport} \
- ${src_mac:+-m mac --mac-source $src_mac} \
- -j DNAT --to-destination $dest_ip${dest_port:+:$dest_port}
-
- $IPTABLES -I zone_${src}_forward 1 \
- ${proto:+-p $proto} \
- -d $dest_ip \
- ${src_ip:+-s $src_ip} \
- ${src_port:+--sport $src_port} \
- ${dest_port2:+--dport $dest_port2} \
- ${src_mac:+-m mac --mac-source $src_mac} \
- -j ACCEPT
+ PROTO=$(eval "echo \"${proto:+-p $proto}\"")
+ SRC_IP=$(eval "echo \"${src_ip:+-s $src_ip}\"")
+ SRC_PORT=$(eval "echo \"${src_port:+--sport $src_port}\"")
+ SRC_DPORT=$(eval "echo \"${src_dport:+--dport $src_dport}\"")
+ SRC_MAC=$(eval "echo \"${src_mac:+-m mac --mac-source $src_mac}\"")
+ DEST_PORT=$(eval "echo \"${dest_port:+:$dest_port}\"")
+ $IPTABLES -A zone_${src}_prerouting -t nat $PROTO $SRC_IP
$SRC_PORT $SRC_DPORT $SRC_MAC -j DNAT --to-destination $dest_ip$DEST_PORT
+
+ PROTO=$(eval "echo \"${proto:+-p $proto}\"")
+ SRC_IP=$(eval "echo \"${src_ip:+-s $src_ip}\"")
+ SRC_PORT=$(eval "echo \"${src_port:+--sport $src_port}\"")
+ DEST_PORT2=$(eval "echo \"${dest_port2:+--dport $dest_port2}\"")
+ SRC_MAC=$(eval "echo \"${src_mac:+-m mac --mac-source $src_mac}\"")
+ $IPTABLES -I zone_${src}_forward 1 $PROTO -d $dest_ip $SRC_IP
$SRC_PORT $DEST_PORT2 $SRC_MAC -j ACCEPT
+
}
[ "$proto" == "tcpudp" -o -z "$proto" ] && {
proto=tcp
@@ -382,18 +392,48 @@
}
fw_include() {
- local path
+ path=
config_get path $1 path
[ -e $path ] && . $path
}
+INTERFACES=
fw_addif() {
- local up
- local ifname
+ unset ZONE
+ INTERFACE=$1
+ config_get ifname $INTERFACE ifname
+ [ "$ifname" == "lo" ] && return 0
+
+ load_zones() {
+ name=
+ network=
+ config_get name $1 name
+ config_get network $1 network
+ [ -z "$network" ] && network=$name
+ for n in $network; do
+ [ "$n" = "$INTERFACE" ] && ZONE="$ZONE $name"
+ done
+ }
+
+ config_foreach load_zones zone
+
+ [ -z "$ZONE" ] && return 0
+
+ for z in $ZONE; do
+ loaded=
+ config_get loaded core loaded
+ [ -n "$loaded" ] && [ -n "$z" ] && addif "$INTERFACE" "$ifname"
"$z"
+ done
+
+}
+
+get_interfaces() {
+ up=
+ ifname=
config_get up $1 up
config_get ifname $1 ifname
[ -n "$up" ] || return 0
- (ACTION="ifup" INTERFACE="$1" . /etc/hotplug.d/iface/20-firewall)
+ INTERFACES="$INTERFACES $1"
}
fw_custom_chains() {
@@ -409,10 +449,24 @@
$IPTABLES -A FORWARD -j forwarding_rule
$IPTABLES -A PREROUTING -t nat -j prerouting_rule
$IPTABLES -A POSTROUTING -t nat -j postrouting_rule
+
+ ifname=
+ ipaddr=
+ netmask=
+ unset CONFIG_APPEND
+ config_load network
+ config_get ifname wan ifname
+ config_get ipaddr lan ipaddr
+ config_get netmask lan netmask
+
+ it_lan_subnet=`$(eval "echo \"awk -v args=sb -v ip=$ipaddr -v
mask=$netmask -f /etc/subnet.awk\"")`
+ $IPTABLES -A postrouting_rule -t nat -o $ifname -s $it_lan_subnet
-d 0/0 -j MASQUERADE
+ #reload firewall config
+ config_load firewall
}
fw_custom_chains_zone() {
- local zone="$1"
+ zone="$1"
[ -n "$CUSTOM_CHAINS" ] || return 0
$IPTABLES -N input_${zone}
@@ -424,13 +478,51 @@
}
fw_check_notrack() {
- local zone="$1"
+ zone="$1"
config_get name "$zone" name
[ -n "$NOTRACK_DISABLED" ] || \
find_item "$name" $CONNTRACK_ZONES || \
$IPTABLES -t raw -A zone_${name}_notrack -j NOTRACK
}
+fw_add_spi() {
+ $IPTABLES -N SPI
+ # Bad Packet
+ $IPTABLES -A SPI -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j LOG --log-level notice --log-prefix 'ATT:001[SYN-ACK]:'
+ $IPTABLES -A SPI -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j DROP
+
+ #NULL scan
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL NONE -j LOG --log-level
notice --log-prefix 'ATT:001[NULL]:'
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL NONE -j DROP
+
+ #NMAP
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG
--log-level info --log-prefix 'ATT:001[NMAP-Xmas]:'
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+
+ #SYN-RST
+ $IPTABLES -A SPI -p tcp --tcp-flags SYN,RST SYN,RST -j LOG
--log-level info --log-prefix 'ATT:001[SYN-RST]:'
+ $IPTABLES -A SPI -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+ #SYN-FIN
+ $IPTABLES -A SPI -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG
--log-level info --log-prefix 'ATT:001[SYN-FIN]:'
+ $IPTABLES -A SPI -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+
+ #X'mas
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL ALL -j LOG --log-level info
--log-prefix 'ATT:001[Xmas]:'
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL ALL -j DROP
+
+ #X'mas
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG
--log-level info --log-prefix 'ATT:001[Xmas]:'
+ $IPTABLES -A SPI -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+
+ $IPTABLES -I INPUT 1 -j SPI
+}
+
+fw_load_modules() {
+ [ "0" == "`lsmod | grep '\<nf_conntrack_ftp\>' | wc -l`" ] &&
insmod nf_conntrack_ftp
+ [ "0" == "`lsmod | grep '\<nf_nat_ftp\>' | wc -l`" ] && insmod
nf_nat_ftp
+}
+
fw_init() {
DEFAULTS_APPLIED=
@@ -450,7 +542,20 @@
config_foreach fw_check_notrack zone
unset CONFIG_APPEND
config_load network
- config_foreach fw_addif interface
+ config_foreach get_interfaces interface
+
+ config_load firewall
+ for inf in $INTERFACES; do
+ [ "$inf" ] && fw_addif $inf
+ done
+
+ echo "Loading SPI"
+ fw_add_spi
+
+ echo "Loading modules"
+ fw_load_modules
+
+ echo "firewall inited"
}
fw_stop() {
diff -ruN package/iptables/patches/1.4.4/010-xtables-nommu.patch
package-after/iptables/patches/1.4.4/010-xtables-nommu.patch
--- package/iptables/patches/1.4.4/010-xtables-nommu.patch 1970-01-01
02:00:00.000000000 +0200
+++ package-after/iptables/patches/1.4.4/010-xtables-nommu.patch
2009-10-20 14:54:06.000000000 +0300
@@ -0,0 +1,26 @@
+--- iptables-1.4.4/xtables.c 2009-06-16 17:37:44.000000000 +0300
++++ iptables-after/xtables.c-after 2009-10-20 14:50:53.000000000 +0300
+@@ -319,7 +319,11 @@
+ */
+ fflush(stdout);
+
++#ifdef HAVE_FORK
+ switch (fork()) {
++#else
++ switch (vfork()) {
++#endif
+ case 0:
+ argv[0] = (char *)modprobe;
+ argv[1] = (char *)modname;
+@@ -333,7 +337,11 @@
+ execv(argv[0], argv);
+
+ /* not usually reached */
++#ifdef HAVE_FORK
+ exit(1);
++#else
++ _exit(1);
++#endif
+ case -1:
+ return -1;
+
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
