From patchwork Mon Jul 2 15:29:11 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Alin_N=C4=83stac?= X-Patchwork-Id: 938000 X-Patchwork-Delegate: blogic@openwrt.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="OuDxAfJO"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="SNLc0COo"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41KB584RHDz9s29 for ; Tue, 3 Jul 2018 01:29:48 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:Message-Id: Date:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=jasyqVJ4olSsL76u7jVBlJiNaj6romiYiZJNjDkFQJE=; b=OuDxAfJOxEoY30 rjc7atXrIxk/3bFoGdRbiOYMkFxEES02xSXyDtRTEZxicZkwa1LLjKkEwHh6WJhqRkd9Pebn+vmRv 57gJm5skSzWKR3F2YTTRS6G3etMe68Bcn1bU2CpRFfokeKxwFO1wQvzEgq5GDibieMKFvFzNDBHPx cRnx28GH9F6dbiY7GOBZtGOrDKvzQw80PHJv0RMyy0Xmw7ThfwX6Qb3Ro0BNiRgZde7GccqkP+9n3 EEK/x5pDTylH4B+ByTKw9Q0bkPdumtDynr5HvzQIch8oUIXfqsJSZ1n226ToxFUZZT7Xr/Ra7F+La ot8zDEl4k9wnO0HZCa/Q==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1fa0ls-0007q5-76; Mon, 02 Jul 2018 15:29:44 +0000 Received: from mail-wm0-x243.google.com ([2a00:1450:400c:c09::243]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1fa0le-0007hv-20 for openwrt-devel@lists.openwrt.org; Mon, 02 Jul 2018 15:29:41 +0000 Received: by mail-wm0-x243.google.com with SMTP id l15-v6so8090995wmc.1 for ; Mon, 02 Jul 2018 08:29:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=PegQCmuIpLiSbL0zZY28j7FVuadBhbxLTgF3ywc8bAs=; b=SNLc0COoayhHKQUGnCAw/48EqveGV4mQ0xCb9ImXEzVIvBpgVEaGUMlPB8bNidTa96 gQtfuPyg0uCQh0oTkjbBlofAlVCSi2tRYBzQM8vWYQtEYQq3StywutAGWauynz6VstBo OSKxSd3t93h8QEhr6fWrP3ZGxVW4a8v7kJDUCYThPNT6kU2QjVJzOdF4rGl1b+hasgvh 0TZFpFfKf5fWelgDzhk5Fqp+IYTqcCDtAlyUb054Yfz0hcCxKxs3GY4dMTfrv47X7WJe ALBR3Lfz5UexOjCHbK2+orr+FTypQZyxhAPweMZw17Q415/6K6OPzmd1/dOD90n+6d2H w5bw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=PegQCmuIpLiSbL0zZY28j7FVuadBhbxLTgF3ywc8bAs=; b=dF74bdZT0PDyvVyr+XLgERdGYkA2CZNytntAuLvmXLklUy7UBI4gn++XaptKG4UtU+ zSbWhYNUWYKtG+p2mdCAsThE6L8vdJ6E9Oq8+vdZwI3r6GlL7vVOdKfG0HpgCxr4Yh1W s2ah99Dm1u2uuPCkJWT5nRQMOzfeDPVIeT954CghM5hheNyScQ3WO7bMOufDbqIuynof eAr/v2BlqKnznoXTXKtH87hvrgnrpHYDE45MVs5pZ3029Vas/OUCQh+9nrIFjlI+fPeO aUEtp+Bmvn8bNpzS4cIT76c/MkrvMiTD0Etczpd6tWGbp4v+wSOh8I52CKadadOPb9VP 8sGQ== X-Gm-Message-State: APt69E3E9vdJsTEnI0q6TzWoUkwpnWYxrxgVSKlPm+ppkyUHXNrX2EIf sgilg+z42AvNySvqP+qKzpPHpw== X-Google-Smtp-Source: AAOMgpezfiQVcWpqfTf5mTMwk2ttxlNsZh95viQddi4vlztt1CQ9gkSis4dDtymJOCrlPeM3qMGuYQ== X-Received: by 2002:a1c:3fd1:: with SMTP id m200-v6mr9128909wma.88.1530545357833; Mon, 02 Jul 2018 08:29:17 -0700 (PDT) Received: from cplx1037.edegem.eu.thmulti.com ([2001:4158:f012:480:2a10:7bff:fec5:6f08]) by smtp.gmail.com with ESMTPSA id l1-v6sm4340694wrf.19.2018.07.02.08.29.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 02 Jul 2018 08:29:17 -0700 (PDT) From: Alin Nastac X-Google-Original-From: Alin Nastac To: Jo-Philipp Wich Date: Mon, 2 Jul 2018 17:29:11 +0200 Message-Id: <1530545351-24848-1-git-send-email-alin.nastac@technicolor.com> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180702_082930_268402_0E8FF457 X-CRM114-Status: GOOD ( 10.84 ) X-Spam-Score: -0.1 (/) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [2a00:1450:400c:c09:0:0:0:243 listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (alin.nastac[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Subject: [OpenWrt-Devel] [PATCH] firewall3: make reject types selectable by user X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: openwrt-devel@lists.openwrt.org MIME-Version: 1.0 Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org From: Alin Nastac RFC 6092 recommends in section 3.3.1 that an IPv6 CPE must respond to unsolicited inbound SYNs with an ICMPv6 Destination Unreachable error code 1 (Communication with destination administratively prohibited). Signed-off-by: Alin Nastac --- defaults.c | 21 ++++++++++++++++----- options.h | 2 ++ 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/defaults.c b/defaults.c index 11fbf0d..6565ca2 100644 --- a/defaults.c +++ b/defaults.c @@ -41,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("output", target, defaults, policy_output), FW3_OPT("drop_invalid", bool, defaults, drop_invalid), + FW3_OPT("tcp_reset_rejects", bool, defaults, tcp_reset_rejects), + FW3_OPT("admin_prohib_rejects",bool, defaults, admin_prohib_rejects), FW3_OPT("syn_flood", bool, defaults, syn_flood), FW3_OPT("synflood_protect", bool, defaults, syn_flood), @@ -113,6 +115,7 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) defs->syn_flood_rate.rate = 25; defs->syn_flood_rate.burst = 50; + defs->tcp_reset_rejects = true; defs->tcp_syncookies = true; defs->tcp_window_scaling = true; defs->custom_chains = true; @@ -276,14 +279,22 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, fw3_ipt_rule_append(r, "INPUT"); } - r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); - fw3_ipt_rule_target(r, "REJECT"); - fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset"); - fw3_ipt_rule_append(r, "reject"); + if (defs->tcp_reset_rejects) + { + r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); + fw3_ipt_rule_target(r, "REJECT"); + fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset"); + fw3_ipt_rule_append(r, "reject"); + } r = fw3_ipt_rule_new(handle); fw3_ipt_rule_target(r, "REJECT"); - fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach"); + fw3_ipt_rule_addarg(r, false, "--reject-with", + defs->admin_prohib_rejects ? + (handle->family == FW3_FAMILY_V6 ? + "adm-prohibited" : + "admin-prohib") : + "port-unreach"); fw3_ipt_rule_append(r, "reject"); break; diff --git a/options.h b/options.h index 08fecf6..e3ba99c 100644 --- a/options.h +++ b/options.h @@ -276,6 +276,8 @@ struct fw3_defaults enum fw3_flag policy_forward; bool drop_invalid; + bool tcp_reset_rejects; + bool admin_prohib_rejects; bool syn_flood; struct fw3_limit syn_flood_rate;