[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user

Alin Nastac Mon, 02 Jul 2018 08:30:02 -0700

From: Alin Nastac <alin.nas...@gmail.com>

RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to
unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error
code 1 (Communication with destination administratively prohibited).


Signed-off-by: Alin Nastac <alin.nas...@gmail.com>
---
 defaults.c | 21 ++++++++++++++++-----
 options.h  |  2 ++
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/defaults.c b/defaults.c
index 11fbf0d..6565ca2 100644
--- a/defaults.c
+++ b/defaults.c
@@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = {
        FW3_OPT("output",              target,   defaults, policy_output),
 
        FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
+       FW3_OPT("tcp_reset_rejects",   bool,     defaults, tcp_reset_rejects),
+       FW3_OPT("admin_prohib_rejects",bool,     defaults, 
admin_prohib_rejects),
 
        FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
        FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
@@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct 
uci_package *p)
 
        defs->syn_flood_rate.rate  = 25;
        defs->syn_flood_rate.burst = 50;
+       defs->tcp_reset_rejects    = true;
        defs->tcp_syncookies       = true;
        defs->tcp_window_scaling   = true;
        defs->custom_chains        = true;
@@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle 
*handle,
                        fw3_ipt_rule_append(r, "INPUT");
                }
 
-               r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
-               fw3_ipt_rule_target(r, "REJECT");
-               fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset");
-               fw3_ipt_rule_append(r, "reject");
+               if (defs->tcp_reset_rejects)
+               {
+                       r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, 
NULL);
+                       fw3_ipt_rule_target(r, "REJECT");
+                       fw3_ipt_rule_addarg(r, false, "--reject-with", 
"tcp-reset");
+                       fw3_ipt_rule_append(r, "reject");
+               }
 
                r = fw3_ipt_rule_new(handle);
                fw3_ipt_rule_target(r, "REJECT");
-               fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach");
+               fw3_ipt_rule_addarg(r, false, "--reject-with",
+                       defs->admin_prohib_rejects ?
+                               (handle->family == FW3_FAMILY_V6 ?
+                                       "adm-prohibited" :
+                                       "admin-prohib") :
+                               "port-unreach");
                fw3_ipt_rule_append(r, "reject");
 
                break;
diff --git a/options.h b/options.h
index 08fecf6..e3ba99c 100644
--- a/options.h
+++ b/options.h
@@ -276,6 +276,8 @@ struct fw3_defaults
        enum fw3_flag policy_forward;
 
        bool drop_invalid;
+       bool tcp_reset_rejects;
+       bool admin_prohib_rejects;
 
        bool syn_flood;
        struct fw3_limit syn_flood_rate;
-- 
2.7.4


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user

Reply via email to