From: Jo-Philipp Wich Date: Tue, 4 Jun 2013 12:21:52 +0000 (+0000) Subject: firewall3: rename to firewall, move into base system menu, update to git head with... X-Git-Tag: reboot~10290 X-Git-Url: http://git.openwrt.org/?p=openwrt%2Fstaging%2Fchunkeey.git;a=commitdiff_plain;h=b721c9222110f0bbf2203da602f60ac0ec6f32ff firewall3: rename to firewall, move into base system menu, update to git head with compatibility fixes for AA SVN-Revision: 36838 --- diff --git a/include/target.mk b/include/target.mk index 6774076f91..c1768023e8 100644 --- a/include/target.mk +++ b/include/target.mk @@ -14,7 +14,7 @@ DEVICE_TYPE?=router # Default packages - the really basic set DEFAULT_PACKAGES:=base-files libc libgcc busybox dropbear mtd uci opkg hotplug2 netifd # For router targets -DEFAULT_PACKAGES.router:=dnsmasq iptables ip6tables ppp ppp-mod-pppoe kmod-ipt-nathelper firewall3 6relayd odhcp6c +DEFAULT_PACKAGES.router:=dnsmasq iptables ip6tables ppp ppp-mod-pppoe kmod-ipt-nathelper firewall 6relayd odhcp6c DEFAULT_PACKAGES.bootloader:= ifneq ($(DUMP),) diff --git a/package/network/config/firewall/Makefile b/package/network/config/firewall/Makefile new file mode 100644 index 0000000000..deb27ea71a --- /dev/null +++ b/package/network/config/firewall/Makefile @@ -0,0 +1,66 @@ +# +# Copyright (C) 2013 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=firewall +PKG_VERSION:=2013-06-04 +PKG_RELEASE:=$(PKG_SOURCE_VERSION) + +PKG_SOURCE_PROTO:=git +PKG_SOURCE_URL:=git://nbd.name/firewall.git +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE_VERSION:=5ee2129eaa23a28bfef6d20c273cafc0be559b3d +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz +PKG_MAINTAINER:=Jo-Philipp Wich + + +include $(INCLUDE_DIR)/package.mk +include $(INCLUDE_DIR)/kernel.mk +include $(INCLUDE_DIR)/cmake.mk + +define Package/firewall + SECTION:=net + CATEGORY:=Base system + TITLE:=OpenWrt C Firewall + DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +endef + +define Package/firewall/description + This package provides a config-compatible C implementation of the UCI firewall. +endef + +define Package/firewall/conffiles +/etc/config/firewall +/etc/firewall.user +endef + +define Build/Configure + $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext.a) + $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext4.a) + $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext6.a) + $(call Build/Configure/Default) +endef + +TARGET_CFLAGS += -ffunction-sections -fdata-sections +TARGET_LDFLAGS += -Wl,--gc-sections +CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1) + +define Package/firewall/install + $(INSTALL_DIR) $(1)/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall $(1)/sbin/fw3 + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall + $(INSTALL_DIR) $(1)/etc/hotplug.d/iface + $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall + $(INSTALL_DIR) $(1)/etc/config/ + $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall + $(INSTALL_DIR) $(1)/etc/ + $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user +endef + +$(eval $(call BuildPackage,firewall)) diff --git a/package/network/config/firewall/files/firewall.config b/package/network/config/firewall/files/firewall.config new file mode 100644 index 0000000000..acfb5e5abd --- /dev/null +++ b/package/network/config/firewall/files/firewall.config @@ -0,0 +1,177 @@ +config defaults + option syn_flood 1 + option input ACCEPT + option output ACCEPT + option forward REJECT +# Uncomment this line to disable ipv6 rules +# option disable_ipv6 1 + +config zone + option name lan + list network 'lan' + option input ACCEPT + option output ACCEPT + option forward REJECT + +config zone + option name wan + list network 'wan' + list network 'wan6' + option input REJECT + option output ACCEPT + option forward REJECT + option masq 1 + option mtu_fix 1 + +config forwarding + option src lan + option dest wan + +# We need to accept udp packets on port 68, +# see https://dev.openwrt.org/ticket/4108 +config rule + option name Allow-DHCP-Renew + option src wan + option proto udp + option dest_port 68 + option target ACCEPT + option family ipv4 + +# Allow IPv4 ping +config rule + option name Allow-Ping + option src wan + option proto icmp + option icmp_type echo-request + option family ipv4 + option target ACCEPT + +# Allow DHCPv6 replies +# see https://dev.openwrt.org/ticket/10381 +config rule + option name Allow-DHCPv6 + option src wan + option proto udp + option src_ip fe80::/10 + option src_port 547 + option dest_ip fe80::/10 + option dest_port 546 + option family ipv6 + option target ACCEPT + +# Allow essential incoming IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Input + option src wan + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + list icmp_type router-solicitation + list icmp_type neighbour-solicitation + list icmp_type router-advertisement + list icmp_type neighbour-advertisement + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# Allow essential forwarded IPv6 ICMP traffic +config rule + option name Allow-ICMPv6-Forward + option src wan + option dest * + option proto icmp + list icmp_type echo-request + list icmp_type echo-reply + list icmp_type destination-unreachable + list icmp_type packet-too-big + list icmp_type time-exceeded + list icmp_type bad-header + list icmp_type unknown-header-type + option limit 1000/sec + option family ipv6 + option target ACCEPT + +# include a file with users custom iptables rules +config include + option path /etc/firewall.user + + +### EXAMPLE CONFIG SECTIONS +# do not allow a specific ip to access wan +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option dest wan +# option proto tcp +# option target REJECT + +# block a specific mac on wan +#config rule +# option dest wan +# option src_mac 00:11:22:33:44:66 +# option target REJECT + +# block incoming ICMP traffic on a zone +#config rule +# option src lan +# option proto ICMP +# option target DROP + +# port redirect port coming in on wan to lan +#config redirect +# option src wan +# option src_dport 80 +# option dest lan +# option dest_ip 192.168.16.235 +# option dest_port 80 +# option proto tcp + +# port redirect of remapped ssh port (22001) on wan +#config redirect +# option src wan +# option src_dport 22001 +# option dest lan +# option dest_port 22 +# option proto tcp + +# allow IPsec/ESP and ISAKMP passthrough +#config rule +# option src wan +# option dest lan +# option protocol esp +# option target ACCEPT + +#config rule +# option src wan +# option dest lan +# option src_port 500 +# option dest_port 500 +# option proto udp +# option target ACCEPT + +### FULL CONFIG SECTIONS +#config rule +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 80 +# option dest wan +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp +# option target REJECT + +#config redirect +# option src lan +# option src_ip 192.168.45.2 +# option src_mac 00:11:22:33:44:55 +# option src_port 1024 +# option src_dport 80 +# option dest_ip 194.25.2.129 +# option dest_port 120 +# option proto tcp diff --git a/package/network/config/firewall/files/firewall.hotplug b/package/network/config/firewall/files/firewall.hotplug new file mode 100644 index 0000000000..34f3afec9b --- /dev/null +++ b/package/network/config/firewall/files/firewall.hotplug @@ -0,0 +1,10 @@ +#!/bin/sh + +[ "$ACTION" = ifup ] || exit 0 + +/etc/init.d/firewall enabled || exit 0 + +fw3 -q network "$INTERFACE" >/dev/null || exit 0 + +logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)" +fw3 -q reload diff --git a/package/network/config/firewall/files/firewall.init b/package/network/config/firewall/files/firewall.init new file mode 100755 index 0000000000..64e3a8c12b --- /dev/null +++ b/package/network/config/firewall/files/firewall.init @@ -0,0 +1,25 @@ +#!/bin/sh /etc/rc.common + +START=19 + +boot() { + # Be silent on boot, firewall might be started by hotplug already, + # so don't complain in syslog. + fw3 -q start +} + +start() { + fw3 start +} + +stop() { + fw3 flush +} + +restart() { + fw3 restart +} + +reload() { + fw3 reload +} diff --git a/package/network/config/firewall/files/firewall.user b/package/network/config/firewall/files/firewall.user new file mode 100644 index 0000000000..6f799063f5 --- /dev/null +++ b/package/network/config/firewall/files/firewall.user @@ -0,0 +1,7 @@ +# This file is interpreted as shell script. +# Put your custom iptables rules here, they will +# be executed with each firewall (re-)start. + +# Internal uci firewall chains are flushed and recreated on reload, so +# put custom rules into the root chains e.g. INPUT or FORWARD or into the +# special user chains, e.g. input_wan_rule or postrouting_lan_rule. diff --git a/package/network/config/firewall3/Makefile b/package/network/config/firewall3/Makefile deleted file mode 100644 index 76d756ef09..0000000000 --- a/package/network/config/firewall3/Makefile +++ /dev/null @@ -1,66 +0,0 @@ -# -# Copyright (C) 2013 OpenWrt.org -# -# This is free software, licensed under the GNU General Public License v2. -# See /LICENSE for more information. -# - -include $(TOPDIR)/rules.mk - -PKG_NAME:=firewall3 -PKG_VERSION:=2013-06-04 -PKG_RELEASE:=$(PKG_SOURCE_VERSION) - -PKG_SOURCE_PROTO:=git -PKG_SOURCE_URL:=git://nbd.name/firewall3.git -PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_SOURCE_VERSION:=182abe47ae4686944482580b42a972827a0e4b51 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-$(PKG_SOURCE_VERSION).tar.gz -PKG_MAINTAINER:=Jo-Philipp Wich - - -include $(INCLUDE_DIR)/package.mk -include $(INCLUDE_DIR)/kernel.mk -include $(INCLUDE_DIR)/cmake.mk - -define Package/firewall3 - SECTION:=net - CATEGORY:=Network - TITLE:=UCI C Firewall - DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables -endef - -define Package/firewall3/description - This package provides a config-compatible C implementation of the UCI firewall. -endef - -define Package/firewall3/conffiles -/etc/config/firewall -/etc/firewall.user -endef - -define Build/Configure - $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext.a) - $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext4.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext4.a) - $(foreach file,$(lastword $(wildcard $(KERNEL_BUILD_DIR)/iptables-*/extensions/libext6.a)),$(CP) $(file) $(PKG_BUILD_DIR)/libext6.a) - $(call Build/Configure/Default) -endef - -TARGET_CFLAGS += -ffunction-sections -fdata-sections -TARGET_LDFLAGS += -Wl,--gc-sections -CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1) - -define Package/firewall3/install - $(INSTALL_DIR) $(1)/sbin - $(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3 - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall - $(INSTALL_DIR) $(1)/etc/hotplug.d/iface - $(INSTALL_DATA) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall - $(INSTALL_DIR) $(1)/etc/config/ - $(INSTALL_DATA) ./files/firewall.config $(1)/etc/config/firewall - $(INSTALL_DIR) $(1)/etc/ - $(INSTALL_DATA) ./files/firewall.user $(1)/etc/firewall.user -endef - -$(eval $(call BuildPackage,firewall3)) diff --git a/package/network/config/firewall3/files/firewall.config b/package/network/config/firewall3/files/firewall.config deleted file mode 100644 index acfb5e5abd..0000000000 --- a/package/network/config/firewall3/files/firewall.config +++ /dev/null @@ -1,177 +0,0 @@ -config defaults - option syn_flood 1 - option input ACCEPT - option output ACCEPT - option forward REJECT -# Uncomment this line to disable ipv6 rules -# option disable_ipv6 1 - -config zone - option name lan - list network 'lan' - option input ACCEPT - option output ACCEPT - option forward REJECT - -config zone - option name wan - list network 'wan' - list network 'wan6' - option input REJECT - option output ACCEPT - option forward REJECT - option masq 1 - option mtu_fix 1 - -config forwarding - option src lan - option dest wan - -# We need to accept udp packets on port 68, -# see https://dev.openwrt.org/ticket/4108 -config rule - option name Allow-DHCP-Renew - option src wan - option proto udp - option dest_port 68 - option target ACCEPT - option family ipv4 - -# Allow IPv4 ping -config rule - option name Allow-Ping - option src wan - option proto icmp - option icmp_type echo-request - option family ipv4 - option target ACCEPT - -# Allow DHCPv6 replies -# see https://dev.openwrt.org/ticket/10381 -config rule - option name Allow-DHCPv6 - option src wan - option proto udp - option src_ip fe80::/10 - option src_port 547 - option dest_ip fe80::/10 - option dest_port 546 - option family ipv6 - option target ACCEPT - -# Allow essential incoming IPv6 ICMP traffic -config rule - option name Allow-ICMPv6-Input - option src wan - option proto icmp - list icmp_type echo-request - list icmp_type echo-reply - list icmp_type destination-unreachable - list icmp_type packet-too-big - list icmp_type time-exceeded - list icmp_type bad-header - list icmp_type unknown-header-type - list icmp_type router-solicitation - list icmp_type neighbour-solicitation - list icmp_type router-advertisement - list icmp_type neighbour-advertisement - option limit 1000/sec - option family ipv6 - option target ACCEPT - -# Allow essential forwarded IPv6 ICMP traffic -config rule - option name Allow-ICMPv6-Forward - option src wan - option dest * - option proto icmp - list icmp_type echo-request - list icmp_type echo-reply - list icmp_type destination-unreachable - list icmp_type packet-too-big - list icmp_type time-exceeded - list icmp_type bad-header - list icmp_type unknown-header-type - option limit 1000/sec - option family ipv6 - option target ACCEPT - -# include a file with users custom iptables rules -config include - option path /etc/firewall.user - - -### EXAMPLE CONFIG SECTIONS -# do not allow a specific ip to access wan -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option dest wan -# option proto tcp -# option target REJECT - -# block a specific mac on wan -#config rule -# option dest wan -# option src_mac 00:11:22:33:44:66 -# option target REJECT - -# block incoming ICMP traffic on a zone -#config rule -# option src lan -# option proto ICMP -# option target DROP - -# port redirect port coming in on wan to lan -#config redirect -# option src wan -# option src_dport 80 -# option dest lan -# option dest_ip 192.168.16.235 -# option dest_port 80 -# option proto tcp - -# port redirect of remapped ssh port (22001) on wan -#config redirect -# option src wan -# option src_dport 22001 -# option dest lan -# option dest_port 22 -# option proto tcp - -# allow IPsec/ESP and ISAKMP passthrough -#config rule -# option src wan -# option dest lan -# option protocol esp -# option target ACCEPT - -#config rule -# option src wan -# option dest lan -# option src_port 500 -# option dest_port 500 -# option proto udp -# option target ACCEPT - -### FULL CONFIG SECTIONS -#config rule -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 80 -# option dest wan -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp -# option target REJECT - -#config redirect -# option src lan -# option src_ip 192.168.45.2 -# option src_mac 00:11:22:33:44:55 -# option src_port 1024 -# option src_dport 80 -# option dest_ip 194.25.2.129 -# option dest_port 120 -# option proto tcp diff --git a/package/network/config/firewall3/files/firewall.hotplug b/package/network/config/firewall3/files/firewall.hotplug deleted file mode 100644 index 34f3afec9b..0000000000 --- a/package/network/config/firewall3/files/firewall.hotplug +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh - -[ "$ACTION" = ifup ] || exit 0 - -/etc/init.d/firewall enabled || exit 0 - -fw3 -q network "$INTERFACE" >/dev/null || exit 0 - -logger -t firewall "Reloading firewall due to ifup of $INTERFACE ($DEVICE)" -fw3 -q reload diff --git a/package/network/config/firewall3/files/firewall.init b/package/network/config/firewall3/files/firewall.init deleted file mode 100755 index 64e3a8c12b..0000000000 --- a/package/network/config/firewall3/files/firewall.init +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh /etc/rc.common - -START=19 - -boot() { - # Be silent on boot, firewall might be started by hotplug already, - # so don't complain in syslog. - fw3 -q start -} - -start() { - fw3 start -} - -stop() { - fw3 flush -} - -restart() { - fw3 restart -} - -reload() { - fw3 reload -} diff --git a/package/network/config/firewall3/files/firewall.user b/package/network/config/firewall3/files/firewall.user deleted file mode 100644 index 6f799063f5..0000000000 --- a/package/network/config/firewall3/files/firewall.user +++ /dev/null @@ -1,7 +0,0 @@ -# This file is interpreted as shell script. -# Put your custom iptables rules here, they will -# be executed with each firewall (re-)start. - -# Internal uci firewall chains are flushed and recreated on reload, so -# put custom rules into the root chains e.g. INPUT or FORWARD or into the -# special user chains, e.g. input_wan_rule or postrouting_lan_rule.