[PATCH v3 5/8] fff-firewall: Fix match in ip6tables and add dependencies

Tim Niemeyer tim at tn-x.org
So Aug 5 17:24:52 CEST 2018 

Hi

Am Samstag, den 04.08.2018, 16:34 +0200 schrieb Adrian Schmutzler:
> The syntax " -m state --state " seems to be not supported anymore.
> 
> The replace should not change behavior compared to
> lede-17.01-based firmware.
Ich glaub das einfach mal.

Ansonsten passts:
Reviewed-by: Tim Niemeyer <tim at tn-x.org>

Tim

> 
> Added required dependency.
> 
> Signed-off-by: Adrian Schmutzler <freifunk at adrianschmutzler.de>
> ---
>  src/packages/fff/fff-
> firewall/Makefile                               | 5 +++--
>  src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh 
> | 4 ++--
>  2 files changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/src/packages/fff/fff-firewall/Makefile
> b/src/packages/fff/fff-firewall/Makefile
> index 727901d0..e63010cb 100644
> --- a/src/packages/fff/fff-firewall/Makefile
> +++ b/src/packages/fff/fff-firewall/Makefile
> @@ -1,7 +1,7 @@
>  include $(TOPDIR)/rules.mk
>  
>  PKG_NAME:=fff-firewall
> -PKG_VERSION:=2
> +PKG_VERSION:=3
>  PKG_RELEASE:=1
>  
>  PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
> @@ -16,7 +16,8 @@ define Package/$(PKG_NAME)
>      DEPENDS:=+arptables \
>               +ebtables +ebtables-utils \
>               +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
> -             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-
> conntrack-extra
> +             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-
> conntrack-extra \
> +             +kmod-nf-conntrack6
>  endef
>  
>  define Package/$(PKG_NAME)/description
> diff --git a/src/packages/fff/fff-
> firewall/files/usr/lib/firewall.d/20-filter-ssh
> b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-
> ssh
> index d5cc07ac..50fa087b 100644
> --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-
> filter-ssh
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-
> filter-ssh
> @@ -3,5 +3,5 @@ iptables -A INPUT -i $IF_WAN -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEP
>  iptables -A INPUT -i $IF_WAN -j REJECT
>  
>  # Limit ssh to 6 new connections per 60 seconds
> -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW
> -m recent --set --name dropbear
> -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state --state NEW
> -m recent --update --seconds 60 --hitcount 6 --rttl --name dropbear
> -j DROP
> +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --
> ctstate NEW -m recent --set --name dropbear
> +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --
> ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --
> name dropbear -j DROP
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 488 bytes
Beschreibung: This is a digitally signed message part
URL         : <http://lists.freifunk.net/pipermail/franken-dev-freifunk.net/attachments/20180805/63238dcd/attachment.sig>

Mehr Informationen über die Mailingliste franken-dev