diff options
| -rw-r--r-- | firewall/Makefile | 62 | ||||
| -rw-r--r-- | firewall/files/firewall.config | 195 | ||||
| -rw-r--r-- | firewall/files/firewall.hotplug | 11 | ||||
| -rwxr-xr-x | firewall/files/firewall.init | 61 | ||||
| -rw-r--r-- | firewall/files/firewall.user | 7 | ||||
| -rw-r--r-- | firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch | 33 | ||||
| -rw-r--r-- | firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch | 38 | ||||
| -rw-r--r-- | firewall/patches/0003-Allow-NAT-for-IPv6.patch | 54 |
8 files changed, 461 insertions, 0 deletions
diff --git a/firewall/Makefile b/firewall/Makefile new file mode 100644 index 0000000..012b289 --- /dev/null +++ b/firewall/Makefile @@ -0,0 +1,62 @@ +# +# Copyright (C) 2013-2016 OpenWrt.org +# Copyright (C) 2016 LEDE project +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewall +PKG_RELEASE:=4 + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git +PKG_SOURCE_DATE:=2019-11-22 +PKG_SOURCE_VERSION:=8174814a507489ebbe8bb85c1004e1f02919ca82 +PKG_MIRROR_HASH:=84e0cca2d47470bdb1788a8ae044cc425be8ff650a1137474ba43a15040085da +PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io> +PKG_LICENSE:=ISC + +PKG_CONFIG_DEPENDS := CONFIG_IPV6 + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/firewall + SECTION:=net + CATEGORY:=Base system + TITLE:=OpenWrt C Firewall + DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +endef + +define Package/firewall/description + This package provides a config-compatible C implementation of the UCI firewall. +endef + +define Package/firewall/conffiles +/etc/config/firewall +/etc/firewall.user +endef + +TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto +TARGET_LDFLAGS += -Wl,--gc-sections -flto +CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1) + +define Package/firewall/install + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3 + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_CONF) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall + $(INSTALL_DIR) $(1)/etc/config/ + $(INSTALL_CONF) ./files/firewall.config $(1)/etc/config/firewall + $(INSTALL_DIR) $(1)/etc/ + $(INSTALL_CONF) ./files/firewall.user $(1)/etc/firewall.user + $(INSTALL_DIR) $(1)/usr/share/fw3 + $(INSTALL_CONF) $(PKG_BUILD_DIR)/helpers.conf $(1)/usr/share/fw3 +endef + +$(eval $(call BuildPackage,firewall)) diff --git a/firewall/files/firewall.config b/firewall/files/firewall.config new file mode 100644 index 0000000..8874e98 --- /dev/null +++ b/firewall/files/firewall.config @@ -0,0 +1,195 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + list network 'lan' + option input ACCEPT + option output ACCEPT + option forward ACCEPT + +config zone + option name wan + list network 'wan' + list network 'wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +config rule + option name Allow-IGMP + option src wan + option proto igmp + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fc00::/6 + option dest_ip fc00::/6 + option dest_port 546 + option family ipv6 + option target ACCEPT + +config rule + option name Allow-MLD + option src wan + option proto icmp + option src_ip fe80::/10 + list icmp_type '130/0' + list icmp_type '131/0' + list icmp_type '132/0' + list icmp_type '143/0' + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +config rule + option name Allow-IPSec-ESP + option src wan + option dest lan + option proto esp + option target ACCEPT + +config rule + option name Allow-ISAKMP + option src wan + option dest lan + option dest_port 500 + option proto udp + option target ACCEPT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/firewall/files/firewall.hotplug b/firewall/files/firewall.hotplug new file mode 100644 index 0000000..f1eab00 --- /dev/null +++ b/firewall/files/firewall.hotplug @@ -0,0 +1,11 @@ +#!/bin/sh + +[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0 +[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0 + +/etc/init.d/firewall enabled || exit 0 + +fw3 -q network "$INTERFACE" >/dev/null || exit 0 + +logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)" +fw3 -q reload diff --git a/firewall/files/firewall.init b/firewall/files/firewall.init new file mode 100755 index 0000000..ee3ed1a --- /dev/null +++ b/firewall/files/firewall.init @@ -0,0 +1,61 @@ +#!/bin/sh /etc/rc.common + +START=19 +USE_PROCD=1 +QUIET="" + +validate_firewall_redirect() +{ + uci_validate_section firewall redirect "${1}" \ + 'proto:or(uinteger, string)' \ + 'src:string' \ + 'src_ip:cidr' \ + 'src_dport:or(port, portrange)' \ + 'dest:string' \ + 'dest_ip:cidr' \ + 'dest_port:or(port, portrange)' \ + 'target:or("SNAT", "DNAT")' +} + +validate_firewall_rule() +{ + uci_validate_section firewall rule "${1}" \ + 'proto:or(uinteger, string)' \ + 'src:string' \ + 'dest:string' \ + 'src_port:or(port, portrange)' \ + 'dest_port:or(port, portrange)' \ + 'target:string' +} + +service_triggers() { + procd_add_reload_trigger firewall + + procd_open_validate + validate_firewall_redirect + validate_firewall_rule + procd_close_validate +} + +restart() { + fw3 restart +} + +start_service() { + fw3 ${QUIET} start +} + +stop_service() { + fw3 flush +} + +reload_service() { + fw3 reload +} + +boot() { + # Be silent on boot, firewall might be started by hotplug already, + # so don't complain in syslog. + QUIET=-q + start +} diff --git a/firewall/files/firewall.user b/firewall/files/firewall.user new file mode 100644 index 0000000..6f79906 --- /dev/null +++ b/firewall/files/firewall.user @@ -0,0 +1,7 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + +# Internal uci firewall chains are flushed and recreated on reload, so +# put custom rules into the root chains e.g. INPUT or FORWARD or into the +# special user chains, e.g. input_wan_rule or postrouting_lan_rule. diff --git a/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch new file mode 100644 index 0000000..9e23dfd --- /dev/null +++ b/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch @@ -0,0 +1,33 @@ +From 4a7df7d8c4e40fd2ce0d9f125755249dee17a8bd Mon Sep 17 00:00:00 2001 +From: Yousong Zhou <yszhou4tech@gmail.com> +Date: Fri, 24 Jul 2020 12:52:59 +0800 +Subject: [PATCH] zones: apply tcp mss clamping also on ingress path + +Fixes FS#3231 + +Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> +Acked-by: Jo-Philipp Wich <jo@mein.io> +(cherry picked from commit e9b90dfac2225927c035f6a76277b850c282dc9a) +--- + zones.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/zones.c b/zones.c +index 01fb706..3d54a76 100644 +--- a/zones.c ++++ b/zones.c +@@ -552,6 +552,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, + fw3_ipt_rule_target(r, "TCPMSS"); + fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL); + fw3_ipt_rule_replace(r, "FORWARD"); ++ ++ r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL); ++ fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST"); ++ fw3_ipt_rule_addarg(r, false, "SYN", NULL); ++ fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name); ++ fw3_ipt_rule_target(r, "TCPMSS"); ++ fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL); ++ fw3_ipt_rule_replace(r, "FORWARD"); + } + } + else if (handle->table == FW3_TABLE_RAW) diff --git a/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch new file mode 100644 index 0000000..c7a4593 --- /dev/null +++ b/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch @@ -0,0 +1,38 @@ +From 78d52a28c66ad0fd2af250038fdcf4239ad37bf2 Mon Sep 17 00:00:00 2001 +From: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com> +Date: Sat, 15 Aug 2020 13:50:27 +0900 +Subject: [PATCH] options: fix parsing of boolean attributes + +Boolean attributes were parsed the same way as string attributes, +so a value of { "bool_attr": "true" } would be parsed correctly, but +{ "bool_attr": true } (without quotes) was parsed as false. + +Fixes FS#3284 + +Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com> +--- + options.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/options.c ++++ b/options.c +@@ -1170,6 +1170,9 @@ fw3_parse_blob_options(void *s, const st + if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) { + snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e)); + v = buf; ++ } else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) { ++ snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o)); ++ v = buf; + } else { + v = blobmsg_get_string(e); + } +@@ -1189,6 +1192,9 @@ fw3_parse_blob_options(void *s, const st + if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) { + snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o)); + v = buf; ++ } else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) { ++ snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o)); ++ v = buf; + } else { + v = blobmsg_get_string(o); + } diff --git a/firewall/patches/0003-Allow-NAT-for-IPv6.patch b/firewall/patches/0003-Allow-NAT-for-IPv6.patch new file mode 100644 index 0000000..71f50c8 --- /dev/null +++ b/firewall/patches/0003-Allow-NAT-for-IPv6.patch @@ -0,0 +1,54 @@ +From c0d53458a7d06e116b6ef8c95b5c0c7a0826a0dc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= <cynerd@email.cz> +Date: Sat, 15 May 2021 13:15:32 +0200 +Subject: [PATCH] Allow NAT for IPv6 + +--- + defaults.c | 4 ++-- + zones.c | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/defaults.c b/defaults.c +index 7ad4fba..b0b4698 100644 +--- a/defaults.c ++++ b/defaults.c +@@ -29,8 +29,8 @@ static const struct fw3_chain_spec default_chains[] = { + C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"), + C(ANY, FILTER, SYN_FLOOD, "syn_flood"), + +- C(V4, NAT, CUSTOM_CHAINS, "prerouting_rule"), +- C(V4, NAT, CUSTOM_CHAINS, "postrouting_rule"), ++ C(ANY, NAT, CUSTOM_CHAINS, "prerouting_rule"), ++ C(ANY, NAT, CUSTOM_CHAINS, "postrouting_rule"), + + { } + }; +diff --git a/zones.c b/zones.c +index 51a8fdf..545ced4 100644 +--- a/zones.c ++++ b/zones.c +@@ -37,8 +37,8 @@ static const struct fw3_chain_spec zone_chains[] = { + C(ANY, FILTER, REJECT, "zone_?_dest_REJECT"), + C(ANY, FILTER, DROP, "zone_?_dest_DROP"), + +- C(V4, NAT, SNAT, "zone_?_postrouting"), +- C(V4, NAT, DNAT, "zone_?_prerouting"), ++ C(ANY, NAT, SNAT, "zone_?_postrouting"), ++ C(ANY, NAT, DNAT, "zone_?_prerouting"), + + C(ANY, RAW, HELPER, "zone_?_helper"), + C(ANY, RAW, NOTRACK, "zone_?_notrack"), +@@ -47,8 +47,8 @@ static const struct fw3_chain_spec zone_chains[] = { + C(ANY, FILTER, CUSTOM_CHAINS, "output_?_rule"), + C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_?_rule"), + +- C(V4, NAT, CUSTOM_CHAINS, "prerouting_?_rule"), +- C(V4, NAT, CUSTOM_CHAINS, "postrouting_?_rule"), ++ C(ANY, NAT, CUSTOM_CHAINS, "prerouting_?_rule"), ++ C(ANY, NAT, CUSTOM_CHAINS, "postrouting_?_rule"), + + { } + }; +-- +2.31.1 + |