From patchwork Wed Nov 4 14:40:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maksym Kovalchuck X-Patchwork-Id: 1394028 X-Patchwork-Delegate: ynezz@true.cz Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=exWobcdz; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=HJoIbkao; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CR8Wp1Sc0z9sTK for ; Thu, 5 Nov 2020 01:42:46 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:MIME-Version:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Owner; bh=EOcsCdXyaVYbnHpUpJmDF54U+5xuNwABl7op6yTW/p0=; b=exWobcdzpsqhkEX5RN/iY5fgJy 5vTcu3K/4oL2rVf/znDBQQxXxpO7IIZrk41zbeL8E85z65ipmnek322dOVXDNlQlAAVjuHSLT+zLK UzUwvsNbbml7aNiusHPvQv78z43KZPrGM/aFTg7rmTZqnXGBTwMHHIIxIDbcI9kvgD7MhWoIi46mh 3dvI3UPF9l3CkVa1RUz1Wu4O1cxjqnK2ATj5WN1+Lq8tYd2f71KQv84PqpXCpQKHSjRlx5dAo/Dup klza/HF35fxFyStKPV24Tecv9Zu0YyQUCBY2wwXBu0gJpRE5XE0BG9SmrGbCWQsR6CmO+1LLje2P6 U5vaRR4g==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaJxQ-0004lP-Sl; Wed, 04 Nov 2020 14:40:16 +0000 Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kaJxO-0004kl-2o for openwrt-devel@lists.openwrt.org; Wed, 04 Nov 2020 14:40:14 +0000 Received: by mail-lf1-x133.google.com with SMTP id b1so27377581lfp.11 for ; Wed, 04 Nov 2020 06:40:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=NrnjfSH55u0vWVS5QIk17dxGR7tI9PfIrOCty+UrG+c=; b=HJoIbkaoP1XMgJeVR5rImuFJNkBstfkUBySqgdVFv+ZNmPtsixhGcaf38O8EzvVqTw gkdBvXjxmk/RWzniHsVUqNXbzRAUTiCyyxlIfEroxSxyUOHEWl7hhT9i6W4iuQcFN5xV hudyzRg79vjXlad3NyuEsPlt5L5FTDHzqzdDj85NTz4hwOwcDUGemw5IVNGvNWaIM1wF VYfOMsJbEqs4BzQgA7smhjNFTCUsAWI3+JnnOV6FXyUZejYpSWfn081yLZ5xI6lDYg/V g+0WuVNbvVeNCYjmpQgHiEZqOmnbCAL59aNLOwWPLohWzW+ku/M5PO+SY945avDncSDU RoJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=NrnjfSH55u0vWVS5QIk17dxGR7tI9PfIrOCty+UrG+c=; b=bNfsMB6uxDZUWtxvqNX9yJhuK/Kpl0umhTCgJV+rk0iWcnBpgK00cOMeOvbnf8i9qQ tc/YEYV6HOIL5z4wdDq8ARPzTKxKPioCS6m/qsqH96wj/e4UoR3Gv5iCkaYjOgKYkCcu DJ0s6reF3f42t5AIyBEth6G0Ftp4WsBhm2IGGiZqVb3bUcW4nWMEdtY8FALXe8wx3qKL 1GHVMhyXXuro82cXnzHPPu9kvdLvuF00F9naxY+ME5R43SZFfnHvmN93eC6+so40s71F BmlMQlp+w8/KiKBMYeJqRgjGGkst80xIOn3gsKNwTii4OTpQQ17HxyQce7l1y+xtjor9 F5FA== X-Gm-Message-State: AOAM532twtMng/4vsbFUDxRS1pRyqDMnQwJckEJ7OOfAiRhuDOMv+3B7 pbJZV2QB1tGs/DdqJtvZLF6VGEjedbgzjA== X-Google-Smtp-Source: ABdhPJy7kSa5LX9hMpIRZ8rSXMSrxR6O8nbqMcW8e8XabDYdffLXAq3olomXOSviYSxTUdDb5ck0cw== X-Received: by 2002:a19:5f5c:: with SMTP id a28mr9371328lfj.434.1604500811781; Wed, 04 Nov 2020 06:40:11 -0800 (PST) Received: from glc-p7000283fl.ads.local ([46.98.12.31]) by smtp.gmail.com with ESMTPSA id 78sm440475ljf.64.2020.11.04.06.40.10 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Nov 2020 06:40:11 -0800 (PST) From: Maksym Kovalchuck X-Google-Original-From: Maksym Kovalchuck To: openwrt-devel@lists.openwrt.org Subject: firewall3: add udp/icmp flood protection Date: Wed, 4 Nov 2020 15:40:04 +0100 Message-Id: <1604500804-26604-1-git-send-email-maksym.kovalchuck-ext@sagemcom.com> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201104_094014_138293_5CE119CA X-CRM114-Status: GOOD ( 13.94 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [monkeyukraine[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:133 listed in] [list.dnswl.org] X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Maksym Kovalchuck MIME-Version: 1.0 Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Signed-off-by: Maksym Kovalchuck --- defaults.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ options.h | 14 +++++++++++--- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/defaults.c b/defaults.c index f03765c..a8c9d4d 100644 --- a/defaults.c +++ b/defaults.c @@ -28,6 +28,8 @@ static const struct fw3_chain_spec default_chains[] = { C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"), C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"), C(ANY, FILTER, SYN_FLOOD, "syn_flood"), + C(ANY, FILTER, UDP_FLOOD, "udp_flood"), + C(ANY, FILTER, ICMP_FLOOD, "icmp_flood"), C(V4, NAT, CUSTOM_CHAINS, "prerouting_rule"), C(V4, NAT, CUSTOM_CHAINS, "postrouting_rule"), @@ -49,6 +51,14 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("synflood_rate", limit, defaults, syn_flood_rate), FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst), + FW3_OPT("udpflood_protect", bool, defaults, udp_flood), + FW3_OPT("udpflood_rate", limit, defaults, udp_flood_rate), + FW3_OPT("udpflood_burst", int, defaults, udp_flood_rate.burst), + + FW3_OPT("icmpflood_protect", bool, defaults, icmp_flood), + FW3_OPT("icmpflood_rate", limit, defaults, icmp_flood_rate), + FW3_OPT("icmpflood_burst", int, defaults, icmp_flood_rate.burst), + FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies), FW3_OPT("tcp_ecn", int, defaults, tcp_ecn), FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling), @@ -144,6 +154,10 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) defs->any_reject_code = FW3_REJECT_CODE_PORT_UNREACH; defs->syn_flood_rate.rate = 25; defs->syn_flood_rate.burst = 50; + defs->udp_flood_rate.rate = 50; + defs->udp_flood_rate.burst = 50; + defs->icmp_flood_rate.rate = 10; + defs->icmp_flood_rate.burst = 1; defs->tcp_syncookies = true; defs->tcp_window_scaling = true; defs->custom_chains = true; @@ -201,6 +215,12 @@ fw3_print_default_chains(struct fw3_ipt_handle *handle, struct fw3_state *state, if (defs->syn_flood) set(defs->flags, handle->family, FW3_FLAG_SYN_FLOOD); + if (defs->udp_flood) + set(defs->flags, handle->family, FW3_FLAG_UDP_FLOOD); + + if (defs->icmp_flood) + set(defs->flags, handle->family, FW3_FLAG_ICMP_FLOOD); + for (c = default_chains; c->format; c++) { /* don't touch user chains on selective stop */ @@ -231,6 +251,8 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, struct fw3_defaults *defs = &state->defaults; struct fw3_device lodev = { .set = true }; struct fw3_protocol tcp = { .protocol = 6 }; + struct fw3_protocol udp = { .protocol = 17 }; + struct fw3_protocol icmp = { .protocol = 1 }; struct fw3_ipt_rule *r; const char *chains[] = { @@ -309,6 +331,38 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, fw3_ipt_rule_append(r, "INPUT"); } + if (defs->udp_flood) + { + r = fw3_ipt_rule_create(handle, &udp, NULL, NULL, NULL, NULL); + fw3_ipt_rule_limit(r, &defs->udp_flood_rate); + fw3_ipt_rule_target(r, "RETURN"); + fw3_ipt_rule_append(r, "udp_flood"); + + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_target(r, "DROP"); + fw3_ipt_rule_append(r, "udp_flood"); + + r = fw3_ipt_rule_create(handle, &udp, NULL, NULL, NULL, NULL); + fw3_ipt_rule_target(r, "udp_flood"); + fw3_ipt_rule_append(r, "INPUT"); + } + + if (defs->icmp_flood) + { + r = fw3_ipt_rule_create(handle, &icmp, NULL, NULL, NULL, NULL); + fw3_ipt_rule_limit(r, &defs->icmp_flood_rate); + fw3_ipt_rule_target(r, "RETURN"); + fw3_ipt_rule_append(r, "icmp_flood"); + + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_target(r, "DROP"); + fw3_ipt_rule_append(r, "icmp_flood"); + + r = fw3_ipt_rule_create(handle, &icmp, NULL, NULL, NULL, NULL); + fw3_ipt_rule_target(r, "icmp_flood"); + fw3_ipt_rule_append(r, "INPUT"); + } + r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); fw3_ipt_rule_target(r, "REJECT"); fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->tcp_reject_code)); diff --git a/options.h b/options.h index cffc01c..7679d0e 100644 --- a/options.h +++ b/options.h @@ -82,9 +82,11 @@ enum fw3_flag FW3_FLAG_SRC_DROP = 18, FW3_FLAG_CUSTOM_CHAINS = 19, FW3_FLAG_SYN_FLOOD = 20, - FW3_FLAG_MTU_FIX = 21, - FW3_FLAG_DROP_INVALID = 22, - FW3_FLAG_HOTPLUG = 23, + FW3_FLAG_UDP_FLOOD = 21, + FW3_FLAG_ICMP_FLOOD = 22, + FW3_FLAG_MTU_FIX = 23, + FW3_FLAG_DROP_INVALID = 24, + FW3_FLAG_HOTPLUG = 25, __FW3_FLAG_MAX }; @@ -299,6 +301,12 @@ struct fw3_defaults bool syn_flood; struct fw3_limit syn_flood_rate; + bool udp_flood; + struct fw3_limit udp_flood_rate; + + bool icmp_flood; + struct fw3_limit icmp_flood_rate; + bool tcp_syncookies; int tcp_ecn; bool tcp_window_scaling;