From 5d4b0f972af5ed68f40d5c2ffc52b606b0a49436 Mon Sep 17 00:00:00 2001 From: Stepan Henek <stepan.henek@nic.cz> Date: Tue, 12 Jun 2018 14:36:58 +0200 Subject: [PATCH 01/12] firewall: accept and drop chains added + option to set uci config directory added --- .../01-accept-and-reject-chains-added.patch | 160 ++++++++++++++++++ .../02-uci_config_dir-option-added.patch | 57 +++++++ 2 files changed, 217 insertions(+) create mode 100644 package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch create mode 100644 package/network/config/firewall/patches/02-uci_config_dir-option-added.patch diff --git a/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch b/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch new file mode 100644 index 0000000..1a3970b --- /dev/null +++ b/package/network/config/firewall/patches/01-accept-and-reject-chains-added.patch @@ -0,0 +1,160 @@ +diff --git a/defaults.c b/defaults.c +index 11fbf0d..d252301 100644 +--- a/defaults.c ++++ b/defaults.c +@@ -24,6 +24,8 @@ + + static const struct fw3_chain_spec default_chains[] = { + C(ANY, FILTER, UNSPEC, "reject"), ++ C(ANY, FILTER, UNSPEC, "accept"), ++ C(ANY, FILTER, UNSPEC, "drop"), + C(ANY, FILTER, CUSTOM_CHAINS, "input_rule"), + C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"), + C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"), +@@ -286,6 +288,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, + fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach"); + fw3_ipt_rule_append(r, "reject"); + ++ r = fw3_ipt_rule_new(handle); ++ fw3_ipt_rule_target(r, "ACCEPT"); ++ fw3_ipt_rule_append(r, "accept"); ++ ++ r = fw3_ipt_rule_new(handle); ++ fw3_ipt_rule_target(r, "DROP"); ++ fw3_ipt_rule_append(r, "drop"); ++ + break; + + case FW3_TABLE_NAT: +@@ -308,48 +318,47 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, + } + } + ++static inline void prepare_tails(struct fw3_ipt_handle *handle, ++ const char* base_chain_name, enum fw3_flag target_flag) { ++ char *target_chain_name = NULL; ++ ++ switch (target_flag) { ++ case FW3_FLAG_REJECT: ++ target_chain_name = "reject"; ++ break; ++ case FW3_FLAG_DROP: ++ target_chain_name = "drop"; ++ break; ++ case FW3_FLAG_ACCEPT: ++ target_chain_name = "accept"; ++ break; ++ default: ++ return; ++ } ++ ++ struct fw3_ipt_rule *r; ++ r = fw3_ipt_rule_new(handle); ++ ++ if (!r) ++ return; ++ ++ fw3_ipt_rule_target(r, target_chain_name); ++ fw3_ipt_rule_append(r, base_chain_name); ++ ++} ++ + void + fw3_print_default_tail_rules(struct fw3_ipt_handle *handle, + struct fw3_state *state, bool reload) + { + struct fw3_defaults *defs = &state->defaults; +- struct fw3_ipt_rule *r; + + if (handle->table != FW3_TABLE_FILTER) + return; + +- if (defs->policy_input == FW3_FLAG_REJECT) +- { +- r = fw3_ipt_rule_new(handle); +- +- if (!r) +- return; +- +- fw3_ipt_rule_target(r, "reject"); +- fw3_ipt_rule_append(r, "INPUT"); +- } +- +- if (defs->policy_output == FW3_FLAG_REJECT) +- { +- r = fw3_ipt_rule_new(handle); +- +- if (!r) +- return; +- +- fw3_ipt_rule_target(r, "reject"); +- fw3_ipt_rule_append(r, "OUTPUT"); +- } +- +- if (defs->policy_forward == FW3_FLAG_REJECT) +- { +- r = fw3_ipt_rule_new(handle); +- +- if (!r) +- return; +- +- fw3_ipt_rule_target(r, "reject"); +- fw3_ipt_rule_append(r, "FORWARD"); +- } ++ prepare_tails(handle, "INPUT", defs->policy_input); ++ prepare_tails(handle, "OUTPUT", defs->policy_output); ++ prepare_tails(handle, "FORWARD", defs->policy_forward); + } + + static void +diff --git a/rules.c b/rules.c +index 5e1d5f3..a62aae4 100644 +--- a/rules.c ++++ b/rules.c +@@ -377,10 +377,14 @@ static void set_target(struct fw3_ipt_rule *r, struct fw3_rule *rule) + fw3_ipt_rule_target(r, "zone_%s_dest_%s", rule->dest.name, name); + else if (need_src_action_chain(rule)) + fw3_ipt_rule_target(r, "zone_%s_src_%s", rule->src.name, name); +- else if (strcmp(name, "REJECT")) +- fw3_ipt_rule_target(r, name); +- else ++ else if (!strcmp(name, "REJECT")) + fw3_ipt_rule_target(r, "reject"); ++ else if (!strcmp(name, "ACCEPT")) ++ fw3_ipt_rule_target(r, "accept"); ++ else if (!strcmp(name, "DROP")) ++ fw3_ipt_rule_target(r, "drop"); ++ else ++ fw3_ipt_rule_target(r, name); + } + + static void +diff --git a/zones.c b/zones.c +index 505ab20..47cf85b 100644 +--- a/zones.c ++++ b/zones.c +@@ -421,7 +421,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, + }; + + #define jump_target(t) \ +- ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t]) ++ ((t == FW3_FLAG_DROP) ? "drop" : (t == FW3_FLAG_ACCEPT) ? "accept" : ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t])) + + if (handle->table == FW3_TABLE_FILTER) + { +@@ -637,13 +637,13 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT"); + fw3_ipt_rule_comment(r, "Accept port redirections"); +- fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]); ++ fw3_ipt_rule_target(r, jump_target(FW3_FLAG_ACCEPT)); + fw3_ipt_rule_append(r, "zone_%s_input", zone->name); + + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT"); + fw3_ipt_rule_comment(r, "Accept port forwards"); +- fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]); ++ fw3_ipt_rule_target(r, jump_target(FW3_FLAG_ACCEPT)); + fw3_ipt_rule_append(r, "zone_%s_forward", zone->name); + } + diff --git a/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch b/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch new file mode 100644 index 0000000..d157160 --- /dev/null +++ b/package/network/config/firewall/patches/02-uci_config_dir-option-added.patch @@ -0,0 +1,57 @@ +diff --git a/main.c b/main.c +index 1410fef..f2eaa5d 100644 +--- a/main.c ++++ b/main.c +@@ -38,6 +38,7 @@ static enum fw3_family print_family = FW3_FAMILY_ANY; + static struct fw3_state *run_state = NULL; + static struct fw3_state *cfg_state = NULL; + ++static char *uci_config_dir = "/etc/config/"; + + static bool + build_state(bool runtime) +@@ -51,6 +52,7 @@ build_state(bool runtime) + error("Out of memory"); + + state->uci = uci_alloc_context(); ++ uci_set_confdir(state->uci, uci_config_dir); + + if (!state->uci) + error("Out of memory"); +@@ -508,11 +510,11 @@ lookup_zone(const char *zone, const char *device) + static int + usage(void) + { +- fprintf(stderr, "fw3 [-4] [-6] [-q] print\n"); +- fprintf(stderr, "fw3 [-q] {start|stop|flush|reload|restart}\n"); +- fprintf(stderr, "fw3 [-q] network {net}\n"); +- fprintf(stderr, "fw3 [-q] device {dev}\n"); +- fprintf(stderr, "fw3 [-q] zone {zone} [dev]\n"); ++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-4] [-6] [-q] print\n"); ++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] {start|stop|flush|reload|restart}\n"); ++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] network {net}\n"); ++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] device {dev}\n"); ++ fprintf(stderr, "fw3 [-u <uci_conf_dir>] [-q] zone {zone} [dev]\n"); + + return 1; + } +@@ -524,7 +526,7 @@ int main(int argc, char **argv) + enum fw3_family family = FW3_FAMILY_ANY; + struct fw3_defaults *defs = NULL; + +- while ((ch = getopt(argc, argv, "46dqh")) != -1) ++ while ((ch = getopt(argc, argv, "46dqu:h")) != -1) + { + switch (ch) + { +@@ -544,6 +546,10 @@ int main(int argc, char **argv) + if (freopen("/dev/null", "w", stderr)) {} + break; + ++ case 'u': ++ uci_config_dir = optarg; ++ break; ++ + case 'h': + rv = usage(); + goto out; -- 2.19.1