domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

firewall: automatically set up NOTRACK rules to disable connection tracking for zones that have no masquerading, no conntrack and no forwarding from/to other zones with masq/conntrack

Browse Source 
SVN-Revision: 15855
This commit is contained in:
Felix Fietkau
2009-05-14 21:46:38 +00:00
parent 11b33255ed
commit f81a781e1a
1 changed files with 43 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
package/firewall/files/uci_firewall.sh
View File

@@ -20,6 +20,16 @@ CUSTOM_CHAINS=1
DEF_INPUT=DROP DEF_INPUT=DROP
DEF_OUTPUT=DROP DEF_OUTPUT=DROP
DEF_FORWARD=DROP DEF_FORWARD=DROP
CONNTRACK_ZONES=
NOTRACK_DISABLED=
find_item() {
local item="$1"; shift
for i in "$@"; do
[ "$i" = "$item" ] && return 0
done
return 1
}
load_policy() { load_policy() {
config_get input $1 input config_get input $1 input
@@ -51,6 +61,7 @@ create_zone() {
$IPTABLES -A output -j zone_$1_$4 $IPTABLES -A output -j zone_$1_$4
$IPTABLES -N zone_$1_nat -t nat $IPTABLES -N zone_$1_nat -t nat
$IPTABLES -N zone_$1_prerouting -t nat $IPTABLES -N zone_$1_prerouting -t nat
$IPTABLES -t raw -N zone_$1_notrack
[ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$1_nat [ "$6" == "1" ] && $IPTABLES -t nat -A POSTROUTING -j zone_$1_nat
} }
@@ -82,6 +93,7 @@ addif() {
$IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -j MASQUERADE $IPTABLES -I zone_${zone}_nat 1 -t nat -o "$ifname" -j MASQUERADE
$IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting $IPTABLES -I PREROUTING 1 -t nat -i "$ifname" -j zone_${zone}_prerouting
$IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward $IPTABLES -A forward -i "$ifname" -j zone_${zone}_forward
$IPTABLES -t raw -I PREROUTING 1 -i "$ifname" -j zone_${name}_notrack
uci_set_state firewall core "${network}_ifname" "$ifname" uci_set_state firewall core "${network}_ifname" "$ifname"
uci_set_state firewall core "${network}_zone" "$zone" uci_set_state firewall core "${network}_zone" "$zone"
} }
@@ -127,6 +139,15 @@ fw_set_chain_policy() {
$IPTABLES -P $chain $target $IPTABLES -P $chain $target
} }
fw_clear() {
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t raw -F
$IPTABLES -t raw -X
$IPTABLES -X
}
fw_defaults() { fw_defaults() {
[ -n "$DEFAULTS_APPLIED" ] && { [ -n "$DEFAULTS_APPLIED" ] && {
echo "Error: multiple defaults sections detected" echo "Error: multiple defaults sections detected"
@@ -153,17 +174,14 @@ fw_defaults() {
$IPTABLES -P OUTPUT DROP $IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP $IPTABLES -P FORWARD DROP
$IPTABLES -F fw_clear
$IPTABLES -t nat -F config_get_bool drop_invalid $1 drop_invalid 0
$IPTABLES -t nat -X
$IPTABLES -X
config_get_bool drop_invalid $1 drop_invalid 1
[ "$drop_invalid" -gt 0 ] && { [ "$drop_invalid" -gt 0 ] && {
$IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP $IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP
NOTRACK_DISABLED=1
} }
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -205,9 +223,11 @@ fw_zone() {
config_get name $1 name config_get name $1 name
config_get network $1 network config_get network $1 network
config_get masq $1 masq config_get_bool masq $1 masq "0"
load_policy $1 config_get_bool conntrack $1 conntrack "0"
load_policy $1
[ "$conntrack" = "1" -o "$masq" = "1" ] && append CONNTRACK_ZONES "$name"
[ -z "$network" ] && network=$name [ -z "$network" ] && network=$name
create_zone "$name" "$network" "$input" "$output" "$forward" "$masq" create_zone "$name" "$network" "$input" "$output" "$forward" "$masq"
fw_custom_chains_zone "$name" fw_custom_chains_zone "$name"
@@ -285,6 +305,10 @@ fw_forwarding() {
[ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT [ -n "$dest" ] && z_dest=zone_${dest}_ACCEPT || z_dest=ACCEPT
$IPTABLES -I $z_src 1 -j $z_dest $IPTABLES -I $z_src 1 -j $z_dest
[ "$mtu_fix" -gt 0 -a -n "$dest" ] && $IPTABLES -I $z_src 1 -j zone_${dest}_MSSFIX [ "$mtu_fix" -gt 0 -a -n "$dest" ] && $IPTABLES -I $z_src 1 -j zone_${dest}_MSSFIX
# propagate masq zone flag
find_item "$src" $CONNTRACK_ZONES && append CONNTRACK_ZONES $dest
find_item "$dest" $CONNTRACK_ZONES && append CONNTRACK_ZONES $src
} }
fw_redirect() { fw_redirect() {
@@ -394,6 +418,14 @@ fw_custom_chains_zone() {
$IPTABLES -I zone_${zone}_prerouting 1 -t nat -j prerouting_${zone} $IPTABLES -I zone_${zone}_prerouting 1 -t nat -j prerouting_${zone}
} }
fw_check_notrack() {
local zone="$1"
config_get name "$zone" name
[ -n "$NOTRACK_DISABLED" ] || \
find_item "$name" $CONNTRACK_ZONES || \
$IPTABLES -t raw -A zone_${name}_notrack -j NOTRACK
}
fw_init() { fw_init() {
DEFAULTS_APPLIED= DEFAULTS_APPLIED=
@@ -410,18 +442,16 @@ fw_init() {
echo "Loading includes" echo "Loading includes"
config_foreach fw_include include config_foreach fw_include include
uci_set_state firewall core loaded 1 uci_set_state firewall core loaded 1
config_foreach fw_check_notrack zone
unset CONFIG_APPEND unset CONFIG_APPEND
config_load network config_load network
config_foreach fw_addif interface config_foreach fw_addif interface
} }
fw_stop() { fw_stop() {
$IPTABLES -F fw_clear
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT $IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT $IPTABLES -P FORWARD ACCEPT
uci_revert_state firewall core uci_revert_state firewall
} }