firewall: add to test

3 files changed, 125 insertions, 0 deletions

diff --git a/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
new file mode 100644
index 0000000..9e23dfd
--- /dev/null
+++ b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
@@ -0,0 +1,33 @@
+From 4a7df7d8c4e40fd2ce0d9f125755249dee17a8bd Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Fri, 24 Jul 2020 12:52:59 +0800
+Subject: [PATCH] zones: apply tcp mss clamping also on ingress path
+
+Fixes FS#3231
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+Acked-by: Jo-Philipp Wich <jo@mein.io>
+(cherry picked from commit e9b90dfac2225927c035f6a76277b850c282dc9a)
+---
+ zones.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/zones.c b/zones.c
+index 01fb706..3d54a76 100644
+--- a/zones.c
++++ b/zones.c
+@@ -552,6 +552,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ 			fw3_ipt_rule_target(r, "TCPMSS");
+ 			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
+ 			fw3_ipt_rule_replace(r, "FORWARD");
++
++			r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL);
++			fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
++			fw3_ipt_rule_addarg(r, false, "SYN", NULL);
++			fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name);
++			fw3_ipt_rule_target(r, "TCPMSS");
++			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
++			fw3_ipt_rule_replace(r, "FORWARD");
+ 		}
+ 	}
+ 	else if (handle->table == FW3_TABLE_RAW)
diff --git a/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
new file mode 100644
index 0000000..c7a4593
--- /dev/null
+++ b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
@@ -0,0 +1,38 @@
+From 78d52a28c66ad0fd2af250038fdcf4239ad37bf2 Mon Sep 17 00:00:00 2001
+From: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+Date: Sat, 15 Aug 2020 13:50:27 +0900
+Subject: [PATCH] options: fix parsing of boolean attributes
+
+Boolean attributes were parsed the same way as string attributes,
+so a value of { "bool_attr": "true" } would be parsed correctly, but
+{ "bool_attr": true } (without quotes) was parsed as false.
+
+Fixes FS#3284
+
+Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+---
+ options.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/options.c
++++ b/options.c
+@@ -1170,6 +1170,9 @@ fw3_parse_blob_options(void *s, const st
+ 						if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
+ 							snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
+ 							v = buf;
++						} else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++							snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++							v = buf;
+ 						} else {
+ 							v = blobmsg_get_string(e);
+ 						}
+@@ -1189,6 +1192,9 @@ fw3_parse_blob_options(void *s, const st
+ 				if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
+ 					snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
+ 					v = buf;
++				} else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
++					snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
++					v = buf;
+ 				} else {
+ 					v = blobmsg_get_string(o);
+ 				}
diff --git a/firewall/patches/0003-Allow-NAT-for-IPv6.patch b/firewall/patches/0003-Allow-NAT-for-IPv6.patch
new file mode 100644
index 0000000..71f50c8
--- /dev/null
+++ b/firewall/patches/0003-Allow-NAT-for-IPv6.patch
@@ -0,0 +1,54 @@
+From c0d53458a7d06e116b6ef8c95b5c0c7a0826a0dc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz>
+Date: Sat, 15 May 2021 13:15:32 +0200
+Subject: [PATCH] Allow NAT for IPv6
+
+---
+ defaults.c | 4 ++--
+ zones.c    | 8 ++++----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/defaults.c b/defaults.c
+index 7ad4fba..b0b4698 100644
+--- a/defaults.c
++++ b/defaults.c
+@@ -29,8 +29,8 @@ static const struct fw3_chain_spec default_chains[] = {
+ 	C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
+ 	C(ANY, FILTER, SYN_FLOOD,     "syn_flood"),
+ 
+-	C(V4,  NAT,    CUSTOM_CHAINS, "prerouting_rule"),
+-	C(V4,  NAT,    CUSTOM_CHAINS, "postrouting_rule"),
++	C(ANY,  NAT,    CUSTOM_CHAINS, "prerouting_rule"),
++	C(ANY,  NAT,    CUSTOM_CHAINS, "postrouting_rule"),
+ 
+ 	{ }
+ };
+diff --git a/zones.c b/zones.c
+index 51a8fdf..545ced4 100644
+--- a/zones.c
++++ b/zones.c
+@@ -37,8 +37,8 @@ static const struct fw3_chain_spec zone_chains[] = {
+ 	C(ANY, FILTER, REJECT,        "zone_?_dest_REJECT"),
+ 	C(ANY, FILTER, DROP,          "zone_?_dest_DROP"),
+ 
+-	C(V4,  NAT,    SNAT,          "zone_?_postrouting"),
+-	C(V4,  NAT,    DNAT,          "zone_?_prerouting"),
++	C(ANY,  NAT,    SNAT,          "zone_?_postrouting"),
++	C(ANY,  NAT,    DNAT,          "zone_?_prerouting"),
+ 
+ 	C(ANY, RAW,    HELPER,        "zone_?_helper"),
+ 	C(ANY, RAW,    NOTRACK,       "zone_?_notrack"),
+@@ -47,8 +47,8 @@ static const struct fw3_chain_spec zone_chains[] = {
+ 	C(ANY, FILTER, CUSTOM_CHAINS, "output_?_rule"),
+ 	C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_?_rule"),
+ 
+-	C(V4,  NAT,    CUSTOM_CHAINS, "prerouting_?_rule"),
+-	C(V4,  NAT,    CUSTOM_CHAINS, "postrouting_?_rule"),
++	C(ANY,  NAT,    CUSTOM_CHAINS, "prerouting_?_rule"),
++	C(ANY,  NAT,    CUSTOM_CHAINS, "postrouting_?_rule"),
+ 
+ 	{ }
+ };
+-- 
+2.31.1
+