[PATCH v3 5/8] fff-firewall: Fix match in ip6tables and add dependencies

mail at adrianschmutzler.de mail at adrianschmutzler.de
So Aug 5 23:07:16 CEST 2018 

Hallo,

ich hatte das zunächst als Fehler im logread und dieser Patch war das Ergebnis meiner Recherchen. Habe da keine Quellen mehr zu.

Zumindest der syntax Teil ist aber gut googlebar.

Grüße

Adrian

> -----Original Message-----
> From: Tim Niemeyer [mailto:tim at tn-x.org]
> Sent: Sonntag, 5. August 2018 17:25
> To: Adrian Schmutzler <freifunk at adrianschmutzler.de>; franken-
> dev at freifunk.net
> Subject: Re: [PATCH v3 5/8] fff-firewall: Fix match in ip6tables and add
> dependencies
> 
> Hi
> 
> Am Samstag, den 04.08.2018, 16:34 +0200 schrieb Adrian Schmutzler:
> > The syntax " -m state --state " seems to be not supported anymore.
> >
> > The replace should not change behavior compared to lede-17.01-based
> > firmware.
> Ich glaub das einfach mal.
> 
> Ansonsten passts:
> Reviewed-by: Tim Niemeyer <tim at tn-x.org>
> 
> Tim
> 
> >
> > Added required dependency.
> >
> > Signed-off-by: Adrian Schmutzler <freifunk at adrianschmutzler.de>
> > ---
> >  src/packages/fff/fff-
> > firewall/Makefile                               | 5 +++--
> >  src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> > | 4 ++--
> >  2 files changed, 5 insertions(+), 4 deletions(-)
> >
> > diff --git a/src/packages/fff/fff-firewall/Makefile
> > b/src/packages/fff/fff-firewall/Makefile
> > index 727901d0..e63010cb 100644
> > --- a/src/packages/fff/fff-firewall/Makefile
> > +++ b/src/packages/fff/fff-firewall/Makefile
> > @@ -1,7 +1,7 @@
> >  include $(TOPDIR)/rules.mk
> >
> >  PKG_NAME:=fff-firewall
> > -PKG_VERSION:=2
> > +PKG_VERSION:=3
> >  PKG_RELEASE:=1
> >
> >  PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
> > @@ -16,7 +16,8 @@ define Package/$(PKG_NAME)
> >      DEPENDS:=+arptables \
> >               +ebtables +ebtables-utils \
> >               +kmod-ebtables-ipv4 +kmod-ebtables-ipv6 \
> > -             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-
> > conntrack-extra
> > +             +iptables-mod-filter +iptables-mod-ipopt +iptables-mod-
> > conntrack-extra \
> > +             +kmod-nf-conntrack6
> >  endef
> >
> >  define Package/$(PKG_NAME)/description diff --git
> > a/src/packages/fff/fff-
> > firewall/files/usr/lib/firewall.d/20-filter-ssh
> > b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-
> > ssh
> > index d5cc07ac..50fa087b 100644
> > --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-
> > filter-ssh
> > +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-
> > filter-ssh
> > @@ -3,5 +3,5 @@ iptables -A INPUT -i $IF_WAN -m conntrack --ctstate
> > RELATED,ESTABLISHED -j ACCEP
> >  iptables -A INPUT -i $IF_WAN -j REJECT
> >
> >  # Limit ssh to 6 new connections per 60 seconds -/usr/sbin/ip6tables
> > -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name
> > dropbear -/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m state
> > --state NEW -m recent --update --seconds 60 --hitcount 6 --rttl --name
> > dropbear -j DROP
> > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --
> > ctstate NEW -m recent --set --name dropbear
> > +/usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --
> > ctstate NEW -m recent --update --seconds 60 --hitcount 6 --rttl --
> > name dropbear -j DROP

Mehr Informationen über die Mailingliste franken-dev