Initial commit

2025-06-24 16:03:39 +02:00
commit f3256cdaf2
6949 changed files with 1441681 additions and 0 deletions
--- a/package/network/config/firewall/Makefile
+++ b/package/network/config/firewall/Makefile
@@ -0,0 +1,62 @@
+#
+# Copyright (C) 2013-2016 OpenWrt.org
+# Copyright (C) 2016 LEDE project
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=firewall
+PKG_RELEASE:=3
+
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
+PKG_SOURCE_DATE:=2019-11-22
+PKG_SOURCE_VERSION:=8174814a507489ebbe8bb85c1004e1f02919ca82
+PKG_MIRROR_HASH:=84e0cca2d47470bdb1788a8ae044cc425be8ff650a1137474ba43a15040085da
+PKG_MAINTAINER:=Jo-Philipp Wich <jo@mein.io>
+PKG_LICENSE:=ISC
+
+PKG_CONFIG_DEPENDS := CONFIG_IPV6
+
+include $(INCLUDE_DIR)/package.mk
+include $(INCLUDE_DIR)/cmake.mk
+
+define Package/firewall
+  SECTION:=net
+  CATEGORY:=Base system
+  TITLE:=OpenWrt C Firewall
+  DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat
+endef
+
+define Package/firewall/description
+ This package provides a config-compatible C implementation of the UCI firewall.
+endef
+
+define Package/firewall/conffiles
+/etc/config/firewall
+/etc/firewall.user
+endef
+
+TARGET_CFLAGS += -ffunction-sections -fdata-sections -flto
+TARGET_LDFLAGS += -Wl,--gc-sections -flto
+CMAKE_OPTIONS += $(if $(CONFIG_IPV6),,-DDISABLE_IPV6=1)
+
+define Package/firewall/install
+	$(INSTALL_DIR) $(1)/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/firewall3 $(1)/sbin/fw3
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/firewall.init $(1)/etc/init.d/firewall
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_CONF) ./files/firewall.hotplug $(1)/etc/hotplug.d/iface/20-firewall
+	$(INSTALL_DIR) $(1)/etc/config/
+	$(INSTALL_CONF) ./files/firewall.config $(1)/etc/config/firewall
+	$(INSTALL_DIR) $(1)/etc/
+	$(INSTALL_CONF) ./files/firewall.user $(1)/etc/firewall.user
+	$(INSTALL_DIR) $(1)/usr/share/fw3
+	$(INSTALL_CONF) $(PKG_BUILD_DIR)/helpers.conf $(1)/usr/share/fw3
+endef
+
+$(eval $(call BuildPackage,firewall))
--- a/package/network/config/firewall/files/firewall.config
+++ b/package/network/config/firewall/files/firewall.config
@@ -0,0 +1,195 @@
+config defaults
+	option syn_flood	1
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		lan
+	list   network		'lan'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		ACCEPT
+
+config zone
+	option name		wan
+	list   network		'wan'
+	list   network		'wan6'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		lan
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://dev.openwrt.org/ticket/10381
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option src_ip		fc00::/6
+	option dest_ip		fc00::/6
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		lan
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		lan
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		lan
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
--- a/package/network/config/firewall/files/firewall.hotplug
+++ b/package/network/config/firewall/files/firewall.hotplug
@@ -0,0 +1,11 @@
+#!/bin/sh
+
+[ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0
+[ "$ACTION" = ifupdate -a -z "$IFUPDATE_ADDRESSES" -a -z "$IFUPDATE_DATA" ] && exit 0
+
+/etc/init.d/firewall enabled || exit 0
+
+fw3 -q network "$INTERFACE" >/dev/null || exit 0
+
+logger -t firewall "Reloading firewall due to $ACTION of $INTERFACE ($DEVICE)"
+fw3 -q reload
--- a/package/network/config/firewall/files/firewall.init
+++ b/package/network/config/firewall/files/firewall.init
@@ -0,0 +1,61 @@
+#!/bin/sh /etc/rc.common
+
+START=19
+USE_PROCD=1
+QUIET=""
+
+validate_firewall_redirect()
+{
+	uci_validate_section firewall redirect "${1}" \
+		'proto:or(uinteger, string)' \
+		'src:string' \
+		'src_ip:cidr' \
+		'src_dport:or(port, portrange)' \
+		'dest:string' \
+		'dest_ip:cidr' \
+		'dest_port:or(port, portrange)' \
+		'target:or("SNAT", "DNAT")'
+}
+
+validate_firewall_rule()
+{
+	uci_validate_section firewall rule "${1}" \
+		'proto:or(uinteger, string)' \
+		'src:string' \
+		'dest:string' \
+		'src_port:or(port, portrange)' \
+		'dest_port:or(port, portrange)' \
+		'target:string'
+}
+
+service_triggers() {
+	procd_add_reload_trigger firewall	
+
+	procd_open_validate
+	validate_firewall_redirect
+	validate_firewall_rule
+	procd_close_validate
+}
+
+restart() {
+	fw3 restart
+}
+
+start_service() {
+	fw3 ${QUIET} start
+}
+
+stop_service() {
+	fw3 flush
+}
+
+reload_service() {
+	fw3 reload
+}
+
+boot() {
+	# Be silent on boot, firewall might be started by hotplug already,
+	# so don't complain in syslog.
+	QUIET=-q
+	start
+}
--- a/package/network/config/firewall/files/firewall.user
+++ b/package/network/config/firewall/files/firewall.user
@@ -0,0 +1,7 @@
+# This file is interpreted as shell script.
+# Put your custom iptables rules here, they will
+# be executed with each firewall (re-)start.
+
+# Internal uci firewall chains are flushed and recreated on reload, so
+# put custom rules into the root chains e.g. INPUT or FORWARD or into the
+# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
--- a/package/network/config/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
+++ b/package/network/config/firewall/patches/0001-zones-apply-tcp-mss-clamping-also-on-ingress-path.patch
@@ -0,0 +1,33 @@
+From 4a7df7d8c4e40fd2ce0d9f125755249dee17a8bd Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Fri, 24 Jul 2020 12:52:59 +0800
+Subject: [PATCH] zones: apply tcp mss clamping also on ingress path
+
+Fixes FS#3231
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+Acked-by: Jo-Philipp Wich <jo@mein.io>
+(cherry picked from commit e9b90dfac2225927c035f6a76277b850c282dc9a)
+---
+ zones.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/zones.c b/zones.c
+index 01fb706..3d54a76 100644
+--- a/zones.c
+++ b/zones.c
+@@ -552,6 +552,14 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
+ 			fw3_ipt_rule_target(r, "TCPMSS");
+ 			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
+ 			fw3_ipt_rule_replace(r, "FORWARD");
+
+			r = fw3_ipt_rule_create(handle, &tcp, dev, NULL, sub, NULL);
+			fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
+			fw3_ipt_rule_addarg(r, false, "SYN", NULL);
+			fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name);
+			fw3_ipt_rule_target(r, "TCPMSS");
+			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
+			fw3_ipt_rule_replace(r, "FORWARD");
+ 		}
+ 	}
+ 	else if (handle->table == FW3_TABLE_RAW)
--- a/package/network/config/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
+++ b/package/network/config/firewall/patches/0002-options-fix-parsing-of-boolean-attributes.patch
@@ -0,0 +1,38 @@
+From 78d52a28c66ad0fd2af250038fdcf4239ad37bf2 Mon Sep 17 00:00:00 2001
+From: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+Date: Sat, 15 Aug 2020 13:50:27 +0900
+Subject: [PATCH] options: fix parsing of boolean attributes
+
+Boolean attributes were parsed the same way as string attributes,
+so a value of { "bool_attr": "true" } would be parsed correctly, but
+{ "bool_attr": true } (without quotes) was parsed as false.
+
+Fixes FS#3284
+
+Signed-off-by: Remi NGUYEN VAN <remi.nguyenvan+openwrt@gmail.com>
+---
+ options.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/options.c
+++ b/options.c
+@@ -1170,6 +1170,9 @@ fw3_parse_blob_options(void *s, const st
+ 						if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
+ 							snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
+ 							v = buf;
+						} else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
+							snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
+							v = buf;
+ 						} else {
+ 							v = blobmsg_get_string(e);
+ 						}
+@@ -1189,6 +1192,9 @@ fw3_parse_blob_options(void *s, const st
+ 				if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
+ 					snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
+ 					v = buf;
+				} else if (blobmsg_type(o) == BLOBMSG_TYPE_BOOL) {
+					snprintf(buf, sizeof(buf), "%d", blobmsg_get_bool(o));
+					v = buf;
+ 				} else {
+ 					v = blobmsg_get_string(o);
+ 				}