298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-08-08 09:54:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

firewall: add Fullcone-NAT option

Browse Source
This commit is contained in:
LEAN-ESX 2019-05-26 10:26:57 -07:00
parent b720b9bbd4
commit 91bdd6b3e0
3 changed files with 57 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
package/network/config/firewall/Makefile
View File

@ -9,7 +9,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=firewall PKG_NAME:=firewall
PKG_RELEASE:=2 PKG_RELEASE:=5
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git PKG_SOURCE_URL=$(PROJECT_GIT)/project/firewall3.git
@ -28,19 +28,9 @@ define Package/firewall
SECTION:=net SECTION:=net
CATEGORY:=Base system CATEGORY:=Base system
TITLE:=OpenWrt C Firewall TITLE:=OpenWrt C Firewall
DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +PACKAGE_firewall-FULLCONENAT:iptables-mod-fullconenat DEPENDS:=+libubox +libubus +libuci +libip4tc +IPV6:libip6tc +libxtables +kmod-ipt-core +kmod-ipt-conntrack +IPV6:kmod-nf-conntrack6 +kmod-ipt-nat +iptables-mod-fullconenat
endef endef
define Package/firewall/config
if PACKAGE_firewall
config PACKAGE_firewall-FULLCONENAT
bool "Use FULLCONENAT"
default y
endif
endef
TARGET_CFLAGS += $(if $(CONFIG_PACKAGE_firewall-FULLCONENAT),-DUSE_FULLCONENAT,)
define Package/firewall/description define Package/firewall/description
This package provides a config-compatible C implementation of the UCI firewall. This package provides a config-compatible C implementation of the UCI firewall.
endef endef

1
package/network/config/firewall/files/firewall.config
View File

@ -3,6 +3,7 @@ config defaults
option input ACCEPT option input ACCEPT
option output ACCEPT option output ACCEPT
option forward REJECT option forward REJECT
option fullcone 1
# Uncomment this line to disable ipv6 rules # Uncomment this line to disable ipv6 rules
# option disable_ipv6 1 # option disable_ipv6 1

68
package/network/config/firewall/patches/fullconenat.patch
View File

@ -1,23 +1,63 @@
index 85a3750..9fac9b1 100644
--- a/defaults.c
+++ b/defaults.c
@@ -46,7 +46,9 @@ const struct fw3_option fw3_flag_opts[] = {
FW3_OPT("synflood_protect", bool, defaults, syn_flood),
FW3_OPT("synflood_rate", limit, defaults, syn_flood_rate),
FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst),
-
+
+ FW3_OPT("fullcone", bool, defaults, fullcone),
+
FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies),
FW3_OPT("tcp_ecn", int, defaults, tcp_ecn),
FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling),
diff --git a/options.h b/options.h
index 6edd174..c02eb97 100644
--- a/options.h
+++ b/options.h
@@ -267,6 +267,7 @@ struct fw3_defaults
bool drop_invalid;
bool syn_flood;
+ bool fullcone;
struct fw3_limit syn_flood_rate;
bool tcp_syncookies;
diff --git a/zones.c b/zones.c diff --git a/zones.c b/zones.c
index 505ab20..44500d5 100644 index 2aa7473..57eead0 100644
--- a/zones.c --- a/zones.c
+++ b/zones.c +++ b/zones.c
@@ -708,8 +708,18 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, @@ -627,6 +627,7 @@ print_zone_rule(struct fw3_ipt_handle *h
struct fw3_address *msrc;
struct fw3_address *mdest;
struct fw3_ipt_rule *r;
+ struct fw3_defaults *defs = &state->defaults;
if (!fw3_is_family(zone, handle->family))
return;
@@ -712,8 +713,22 @@ print_zone_rule(struct fw3_ipt_handle *h
{ {
r = fw3_ipt_rule_new(handle); r = fw3_ipt_rule_new(handle);
fw3_ipt_rule_src_dest(r, msrc, mdest); fw3_ipt_rule_src_dest(r, msrc, mdest);
+#ifdef USE_FULLCONENAT - fw3_ipt_rule_target(r, "MASQUERADE");
+ fw3_ipt_rule_target(r, "FULLCONENAT"); - fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+#else + /*FIXME: Workaround for FULLCONE-NAT*/
fw3_ipt_rule_target(r, "MASQUERADE"); + if(defs->fullcone)
+#endif + {
fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name); + warn("%s will enable FULLCONE-NAT", zone->name);
+#ifdef USE_FULLCONENAT + fw3_ipt_rule_target(r, "FULLCONENAT");
+ r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+ fw3_ipt_rule_src_dest(r, msrc, mdest); + r = fw3_ipt_rule_new(handle);
+ fw3_ipt_rule_target(r, "FULLCONENAT"); + fw3_ipt_rule_src_dest(r, msrc, mdest);
+ fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name); + fw3_ipt_rule_target(r, "FULLCONENAT");
+#endif + fw3_ipt_rule_append(r, "zone_%s_prerouting", zone->name);
+ }
+ else
+ {
+ fw3_ipt_rule_target(r, "MASQUERADE");
+ fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
+ }
} }
} }
} }