[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user

Mon Jul 2 11:29:11 EDT 2018

From: Alin Nastac <alin.nastac at gmail.com>

RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).

Signed-off-by: Alin Nastac <alin.nastac at gmail.com>
---
 defaults.c | 21 ++++++++++++++++-----
 options.h  |  2 ++
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/defaults.c b/defaults.c
index 11fbf0d..6565ca2 100644
--- a/defaults.c
+++ b/defaults.c
@@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
 	FW3_OPT("output",              target,   defaults, policy_output),
 
 	FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
+	FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
+	FW3_OPT("admin_prohib_rejects",bool,     defaults, admin_prohib_rejects),
 
 	FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
 	FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
@@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
 
 	defs->syn_flood_rate.rate  = 25;
 	defs->syn_flood_rate.burst = 50;
+	defs->tcp_reset_rejects    = true;
 	defs->tcp_syncookies       = true;
 	defs->tcp_window_scaling   = true;
 	defs->custom_chains        = true;
@@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
 			fw3_ipt_rule_append(r, "INPUT");
 		}
 
-		r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
-		fw3_ipt_rule_target(r, "REJECT");
-		fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
-		fw3_ipt_rule_append(r, "reject");
+		if (defs->tcp_reset_rejects)
+		{
+			r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
+			fw3_ipt_rule_target(r, "REJECT");
+			fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
+			fw3_ipt_rule_append(r, "reject");
+		}
 
 		r = fw3_ipt_rule_new(handle);
 		fw3_ipt_rule_target(r, "REJECT");
-		fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+		fw3_ipt_rule_addarg(r, false, "--reject-with",
+			defs->admin_prohib_rejects ?
+				(handle->family == FW3_FAMILY_V6 ?
+					"adm-prohibited" :
+					"admin-prohib") :
+				"port-unreach");
 		fw3_ipt_rule_append(r, "reject");
 
 		break;
diff --git a/options.h b/options.h
index 08fecf6..e3ba99c 100644
--- a/options.h
+++ b/options.h
@@ -276,6 +276,8 @@ struct fw3_defaults
 	enum fw3_flag policy_forward;
 
 	bool drop_invalid;
+	bool tcp_reset_rejects;
+	bool admin_prohib_rejects;
 
 	bool syn_flood;
 	struct fw3_limit syn_flood_rate;
-- 
2.7.4


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

