From: Dave Taht <dave.t...@bufferbloat.net>

This adds firewall support for blocking common invalid address
ranges, using ipset.
---
 net/bcp38/Makefile             |   63 ++++++++++++++++++++++++++
 net/bcp38/files/bcp38.config   |   22 +++++++++
 net/bcp38/files/bcp38.defaults |   13 ++++++
 net/bcp38/files/run.sh         |   96 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 194 insertions(+)
 create mode 100644 net/bcp38/Makefile
 create mode 100644 net/bcp38/files/bcp38.config
 create mode 100644 net/bcp38/files/bcp38.defaults
 create mode 100755 net/bcp38/files/run.sh

diff --git a/net/bcp38/Makefile b/net/bcp38/Makefile
new file mode 100644
index 0000000..d777e13
--- /dev/null
+++ b/net/bcp38/Makefile
@@ -0,0 +1,63 @@
+#
+# Copyright (C) 2014 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+# Please note this is not an officially released version of bcp38
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=bcp38
+PKG_VERSION:=4
+PKG_RELEASE:=1
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/bcp38
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=Routing and Redirection
+  TITLE:=BCP38 compliance 
+  URL:=http://www.github.com/dtaht/bcp38
+  MAINTAINER:=Dave Taht <d+bc...@taht.net>
+  DEPENDS:=+ipset
+endef
+
+define Package/bcp38/description
+ bcp38 implements rfc bcp 38 for home routers.
+endef
+
+define Package/bcp38/conffiles
+/etc/config/bcp38
+endef
+
+define Build/Prepare
+endef
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+define Package/bcp38/install
+       $(INSTALL_DIR) $(1)/etc/config
+       $(INSTALL_CONF) ./files/bcp38.config $(1)/etc/config/bcp38
+       $(INSTALL_DIR) $(1)/usr/lib/bcp38
+       $(INSTALL_BIN) ./files/run.sh $(1)/usr/lib/bcp38/run.sh
+       $(INSTALL_DIR) $(1)/etc/uci-defaults
+       $(INSTALL_BIN) ./files/bcp38.defaults $(1)/etc/uci-defaults/bcp38
+endef
+
+define Package/bcp38/postinst
+#!/bin/sh
+[ -x /etc/uci-defaults/bcp38 ] && /etc/uci-defaults/bcp38 || exit 0
+endef
+
+define Package/bcp38/postrm
+#!/bin/sh
+uci delete firewall.bcp38
+uci commit
+endef
+
+$(eval $(call BuildPackage,bcp38))
diff --git a/net/bcp38/files/bcp38.config b/net/bcp38/files/bcp38.config
new file mode 100644
index 0000000..80431e5
--- /dev/null
+++ b/net/bcp38/files/bcp38.config
@@ -0,0 +1,22 @@
+config bcp38
+       option enabled 1
+       option interface 'ge00'
+       option detect_upstream 1
+       list match '127.0.0.0/8'
+       list match '0.0.0.0/8'       # RFC 1700
+       list match '240.0.0.0/4'     # RFC 5745
+       list match '192.0.2.0/24'    # RFC 5737
+       list match '198.51.100.0/24' # RFC 5737
+       list match '203.0.113.0/24'  # RFC 5737
+       list match '192.168.0.0/16'  # RFC 1918
+       list match '10.0.0.0/8'      # RFC 1918
+       list match '172.16.0.0/12'   # RFC 1918
+       list match '169.254.0.0/16'  # RFC 3927
+
+#      list nomatch '172.26.0.0/21' # Example of something not to match
+#      There is a dhcp trigger to do this for the netmask of a 
+#      double natted connection needed
+
+#      I will argue that this level of indirection doesn't scale
+#      very well - see how to block china as an example
+#      http://www.okean.com/china.txt
diff --git a/net/bcp38/files/bcp38.defaults b/net/bcp38/files/bcp38.defaults
new file mode 100644
index 0000000..d7e0d80
--- /dev/null
+++ b/net/bcp38/files/bcp38.defaults
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+uci -q batch <<-EOT
+       delete firewall.bcp38
+       set firewall.bcp38=include
+       set firewall.bcp38.type=script
+       set firewall.bcp38.path=/usr/lib/bcp38/run.sh
+       set firewall.bcp38.family=IPv4
+       set firewall.bcp38.reload=1
+       commit firewall
+EOT
+
+exit 0
diff --git a/net/bcp38/files/run.sh b/net/bcp38/files/run.sh
new file mode 100755
index 0000000..33ec531
--- /dev/null
+++ b/net/bcp38/files/run.sh
@@ -0,0 +1,96 @@
+#!/bin/sh
+
+STOP=$1
+IPSET_NAME=bcp38-ipv4
+IPTABLES_CHAIN=BCP38
+
+. /lib/functions.sh
+
+config_load bcp38
+
+add_bcp38_rule()
+{
+       local subnet="$1"
+       local action="$2"
+
+       if [ "$action" == "nomatch" ]; then
+               ipset add "$IPSET_NAME" "$subnet" nomatch
+       else
+               ipset add "$IPSET_NAME" "$subnet"
+       fi
+}
+
+detect_upstream()
+{
+       local interface="$1"
+
+       subnets=$(ip route show dev "$interface"  | grep 'scope link' | awk 
'{print $1}')
+       for subnet in $subnets; do
+               # ipset test doesn't work for subnets, so strip out the subnet 
part
+               # and test for that; add as exception if there's a match
+               addr=$(echo $subnet | sed 's|/[0-9]\+$||')
+               ipset test "$IPSET_NAME" $addr 2>/dev/null && add_bcp38_rule 
$subnet nomatch
+       done
+}
+
+run() {
+       local section="$1"
+       local enabled
+       local interface
+       local detect_upstream
+       config_get_bool enabled "$section" enabled 0
+       config_get interface "$section" interface
+       config_get detect_upstream "$section" detect_upstream
+
+       if [ "$enabled" -eq "1" -a -n "$interface" -a -z "$STOP" ] ; then
+               setup_ipset
+               setup_iptables "$interface"
+               config_list_foreach "$section" match add_bcp38_rule match
+               config_list_foreach "$section" nomatch add_bcp38_rule nomatch
+               [ "$detect_upstream" -eq "1" ] && detect_upstream "$interface"
+       fi
+       exit 0
+}
+
+setup_ipset()
+{
+       ipset create "$IPSET_NAME" hash:net family ipv4
+       ipset flush "$IPSET_NAME"
+}
+
+setup_iptables()
+{
+       local interface="$1"
+       iptables -N "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -F "$IPTABLES_CHAIN" 2>/dev/null
+
+       iptables -I output_rule -j "$IPTABLES_CHAIN"
+       iptables -I input_rule -j "$IPTABLES_CHAIN"
+       iptables -I forwarding_rule -j "$IPTABLES_CHAIN"
+
+       # always accept DHCP traffic
+       iptables -A "$IPTABLES_CHAIN" -p udp --dport 67:68 --sport 67:68 -j 
RETURN
+       iptables -A "$IPTABLES_CHAIN" -o "$interface" -m set --match-set 
"$IPSET_NAME" dst -j REJECT --reject-with icmp-net-unreachable
+       iptables -A "$IPTABLES_CHAIN" -i "$interface" -m set --match-set 
"$IPSET_NAME" src -j DROP
+}
+
+destroy_ipset()
+{
+       ipset flush "$IPSET_NAME" 2>/dev/null
+       ipset destroy "$IPSET_NAME" 2>/dev/null
+}
+
+destroy_iptables()
+{
+       iptables -D output_rule -j "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -D input_rule -j "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -D forwarding_rule -j "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -F "$IPTABLES_CHAIN" 2>/dev/null
+       iptables -X "$IPTABLES_CHAIN" 2>/dev/null
+}
+
+destroy_iptables
+destroy_ipset
+config_foreach run bcp38
+
+exit 0
-- 
1.7.9.5
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Reply via email to