From 5d4b0f972af5ed68f40d5c2ffc52b606b0a49436 Mon Sep 17 00:00:00 2001
From: Stepan Henek <stepan.henek@nic.cz>
Date: Tue, 12 Jun 2018 14:36:58 +0200
Subject: [PATCH 01/12] firewall: accept and drop chains added + option to set
uci config directory added
---
.../01-accept-and-reject-chains-added.patch | 160 ++++++++++++++++++
.../02-uci_config_dir-option-added.patch | 57 +++++++
2 files changed, 217 insertions(+)
create mode 100644 package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch
create mode 100644 package/network/config/firewall/patches/02-uci_config_dir-option-added.patch
diff --git a/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch b/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch
new file mode 100644
index 0000000..1a3970b
--- /dev/null
+++ b/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch
@@ -0,0 +1,160 @@
+diff --git a/defaults.c b/defaults.c
+index 11fbf0d..d252301 100644
+--- a/defaults.c
++++ b/defaults.c
+@@ -24,6 +24,8 @@
+
+ static const struct fw3_chain_spec default_chains[] = {
+ C(ANY, FILTER, UNSPEC, "reject"),
++ C(ANY, FILTER, UNSPEC, "accept"),
++ C(ANY, FILTER, UNSPEC, "drop"),
+ C(ANY, FILTER, CUSTOM_CHAINS, "input_rule"),
+ C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"),
+ C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
+@@ -286,6 +288,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
+ fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+ fw3_ipt_rule_append(r, "reject");
+
++ r = fw3_ipt_rule_new(handle);
++ fw3_ipt_rule_target(r, "ACCEPT");
++ fw3_ipt_rule_append(r, "accept");
++
++ r = fw3_ipt_rule_new(handle);
++ fw3_ipt_rule_target(r, "DROP");
++ fw3_ipt_rule_append(r, "drop");
++
+ break;
+
+ case FW3_TABLE_NAT:
+@@ -308,48 +318,47 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
+ }
+ }
+
++static inline void prepare_tails(struct fw3_ipt_handle *handle,
++ const char* base_chain_name, enum fw3_flag target_flag) {
++ char *target_chain_name = NULL;
++
++ switch (target_flag) {
++ case FW3_FLAG_REJECT:
++ target_chain_name = "reject";
++ break;
++ case FW3_FLAG_DROP:
++ target_chain_name = "drop";
++ break;
++ case FW3_FLAG_ACCEPT:
++ target_chain_name = "accept";
++ break;
++ default:
++ return;
++ }
++
++ struct fw3_ipt_rule *r;
++ r = fw3_ipt_rule_new(handle);
++
++ if (!r)
++ return;
++
++ fw3_ipt_rule_target(r, target_chain_name);
++ fw3_ipt_rule_append(r, base_chain_name);
++
++}
++
+ void
+ fw3_print_default_tail_rules(struct fw3_ipt_handle *handle,
+ struct fw3_state *state, bool reload)
+ {
+ struct fw3_defaults *defs = &state->defaults;
+- struct fw3_ipt_rule *r;
+
+ if (handle->table != FW3_TABLE_FILTER)
+ return;
+
+- if (defs->policy_input == FW3_FLAG_REJECT)
+- {
+- r = fw3_ipt_rule_new(handle);
+-
+- if (!r)
+- return;
+-
+- fw3_ipt_rule_target(r, "reject");
+- fw3_ipt_rule_append(r, "INPUT");
+- }
+-
+- if (defs->policy_output == FW3_FLAG_REJECT)
+- {
+- r = fw3_ipt_rule_new(handle);
+-
+- if (!r)
+- return;
+-
+- fw3_ipt_rule_target(r, "reject");
+- fw3_ipt_rule_append(r, "OUTPUT");
+- }
+-
+- if (defs->policy_forward == FW3_FLAG_REJECT)
+- {
+- r = fw3_ipt_rule_new(handle);
+-
+- if (!r)
+- return;
+-
+- fw3_ipt_rule_target(r, "reject");
+- fw3_ipt_rule_append(r, "FORWARD");
+- }
++ prepare_tails(handle, "INPUT", defs->policy_input);
++ prepare_tails(handle, "OUTPUT", defs->policy_output);
++ prepare_tails(handle, "FORWARD", defs->policy_forward);
+ }
+
+ static void
+diff --git a/rules.c b/rules.c
+index 5e1d5f3..a62aae4 100644
+--- a/rules.c
++++ b/rules.c
+@@ -377,10 +377,14 @@ static void set_target(struct fw3_ipt_rule *r, struct fw3_rule *rule)
+ fw3_ipt_rule_target(r, "zone_%s_dest_%s", rule->dest.name, name);
+ else if (need_src_action_chain(rule))
+ fw3_ipt_rule_target(r, "zone_%s_src_%s", rule->src.name, name);
+- else if (strcmp(name, "REJECT"))
+- fw3_ipt_rule_target(r, name);
+- else
++ else if (!strcmp(name, "REJECT"))
+ fw3_ipt_rule_target(r, "reject");
++ else if (!strcmp(name, "ACCEPT"))
++ fw3_ipt_rule_target(r, "accept");
++ else if (!strcmp(name, "DROP"))
++ fw3_ipt_rule_target(r, "drop");
++ else
++ fw3_ipt_rule_target(r, name);
+ }
+
+ static void
+diff --git a/zones.c b/zones.c
+index 505ab20..47cf85b 100644
+--- a/zones.c
++++ b/zones.c
+@@ -421,7 +421,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ };
+
+ #define jump_target(t) \
+- ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t])
++ ((t == FW3_FLAG_DROP) ? "drop" : (t == FW3_FLAG_ACCEPT) ? "accept" : ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t]))
+
+ if (handle->table == FW3_TABLE_FILTER)
+ {
+@@ -637,13 +637,13 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ r = fw3_ipt_rule_new(handle);
+ fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+ fw3_ipt_rule_comment(r, "Accept port redirections");
+- fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
++ fw3_ipt_rule_target(r, jump_target(FW3_FLAG_ACCEPT));
+ fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
+
+ r = fw3_ipt_rule_new(handle);
+ fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+ fw3_ipt_rule_comment(r, "Accept port forwards");
+- fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
++ fw3_ipt_rule_target(r, jump_target(FW3_FLAG_ACCEPT));
+ fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
+ }
+
diff --git a/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch b/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch
new file mode 100644
index 0000000..d157160
--- /dev/null
+++ b/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch
@@ -0,0 +1,57 @@
+diff --git a/main.c b/main.c
+index 1410fef..f2eaa5d 100644
+--- a/main.c
++++ b/main.c
+@@ -38,6 +38,7 @@ static enum fw3_family print_family = FW3_FAMILY_ANY;
+ static struct fw3_state *run_state = NULL;
+ static struct fw3_state *cfg_state = NULL;
+
++static char *uci_config_dir = "/etc/config/";
+
+ static bool
+ build_state(bool runtime)
+@@ -51,6 +52,7 @@ build_state(bool runtime)
+ error("Out of memory");
+
+ state->uci = uci_alloc_context();
++ uci_set_confdir(state->uci, uci_config_dir);
+
+ if (!state->uci)
+ error("Out of memory");
+@@ -508,11 +510,11 @@ lookup_zone(const char *zone, const char *device)
+ static int
+ usage(void)
+ {
+- fprintf(stderr, "fw3 [-4] [-6] [-q] print\n");
+- fprintf(stderr, "fw3 [-q] {start|stop|flush|reload|restart}\n");
+- fprintf(stderr, "fw3 [-q] network {net}\n");
+- fprintf(stderr, "fw3 [-q] device {dev}\n");
+- fprintf(stderr, "fw3 [-q] zone {zone} [dev]\n");
++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-4] [-6] [-q] print\n");
++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] {start|stop|flush|reload|restart}\n");
++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] network {net}\n");
++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] device {dev}\n");
++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] zone {zone} [dev]\n");
+
+ return 1;
+ }
+@@ -524,7 +526,7 @@ int main(int argc, char **argv)
+ enum fw3_family family = FW3_FAMILY_ANY;
+ struct fw3_defaults *defs = NULL;
+
+- while ((ch = getopt(argc, argv, "46dqh")) != -1)
++ while ((ch = getopt(argc, argv, "46dqu:h")) != -1)
+ {
+ switch (ch)
+ {
+@@ -544,6 +546,10 @@ int main(int argc, char **argv)
+ if (freopen("/dev/null", "w", stderr)) {}
+ break;
+
++ case 'u':
++ uci_config_dir = optarg;
++ break;
++
+ case 'h':
+ rv = usage();
+ goto out;
--
2.19.1