[PATCH] firewall.d: Check for unset IF_WAN

robert rlanghammer at web.de
Sa Okt 19 21:03:00 CEST 2019


Hi Adrian,

Fehler abfangen ist immer gut!

Reviewed-by: Robert Langhammer <rlanghammer at web.de>

Am 09.10.19 um 18:27 schrieb Adrian Schmutzler:
> In some cases (mostly for one-port devices) IF_WAN was used
> although not set, resulting in not obviously iptables error
> messages like
>
> - Bad argument `conntrack'
>
> - Bad argument `REJECT'
>
> Thus, check whether IF_WAN is set to something before using it.
>
> Signed-off-by: Adrian Schmutzler <freifunk at adrianschmutzler.de>
> ---
>  src/packages/fff/fff-firewall/Makefile                      | 2 +-
>  .../fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh | 6 ++++--
>  src/packages/fff/fff-gateway/Makefile                       | 2 +-
>  .../fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan  | 6 ++++--
>  4 files changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/src/packages/fff/fff-firewall/Makefile b/src/packages/fff/fff-firewall/Makefile
> index 7bb82b17..56543331 100644
> --- a/src/packages/fff/fff-firewall/Makefile
> +++ b/src/packages/fff/fff-firewall/Makefile
> @@ -1,7 +1,7 @@
>  include $(TOPDIR)/rules.mk
>
>  PKG_NAME:=fff-firewall
> -PKG_RELEASE:=3
> +PKG_RELEASE:=4
>
>  PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
>
> diff --git a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> index 50fa087b..aa04ce93 100644
> --- a/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> +++ b/src/packages/fff/fff-firewall/files/usr/lib/firewall.d/20-filter-ssh
> @@ -1,6 +1,8 @@
>  # If an router has a direct internet connection simple attack act as DOS attack
> -iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -iptables -A INPUT -i $IF_WAN -j REJECT
> +if [ -n "$IF_WAN" ]; then
> +	iptables -A INPUT -i $IF_WAN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> +	iptables -A INPUT -i $IF_WAN -j REJECT
> +fi
>
>  # Limit ssh to 6 new connections per 60 seconds
>  /usr/sbin/ip6tables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name dropbear
> diff --git a/src/packages/fff/fff-gateway/Makefile b/src/packages/fff/fff-gateway/Makefile
> index 7a10544c..71075858 100644
> --- a/src/packages/fff/fff-gateway/Makefile
> +++ b/src/packages/fff/fff-gateway/Makefile
> @@ -1,7 +1,7 @@
>  include $(TOPDIR)/rules.mk
>
>  PKG_NAME:=fff-gateway
> -PKG_RELEASE:=2
> +PKG_RELEASE:=3
>
>  PKG_BUILD_DIR:=$(BUILD_DIR)/fff-gateway
>
> diff --git a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> index f989d6be..2d4ee926 100644
> --- a/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> +++ b/src/packages/fff/fff-gateway/files/usr/lib/firewall.d/10-no-forward-wan
> @@ -1,3 +1,5 @@
>  # Ensure nothing is forwarded onto WAN interface
> -iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
> -ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
> +if [ -n "$IF_WAN" ]; then
> +	iptables -A FORWARD -o $IF_WAN -j REJECT --reject-with icmp-net-unreachable
> +	ip6tables -A FORWARD -o $IF_WAN -j REJECT --reject-with no-route
> +fi


Mehr Informationen über die Mailingliste franken-dev