search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Tomato 1.26 beta(1766)
[tomato.git] / release / src / router / rc / firewall.c
blob15bda5a6a0fe54011531bcf1e73798b2206d44ce
1 /*
2
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
4
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
9
10 This software should be used as a reference only, and it not
11 intended for production use!
12
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
17
18 */
19 /*
20
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
23
24 */
25
26 #include "rc.h"
27
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
31
32 char wanface[IFNAMSIZ];
33 char lanface[IFNAMSIZ];
34 char lan_cclass[sizeof("xxx.xxx.xxx.")];
35 char wanaddr[sizeof("xxx.xxx.xxx.xxx")];
36 static int web_lanport;
37
38 #ifdef DEBUG_IPTFILE
39 static int debug_only = 0;
40 #endif
41
42 static int gateway_mode;
43 static int remotemanage;
44 static int wanup;
45
46 const char *chain_in_drop;
47 const char *chain_in_accept;
48 const char *chain_out_drop;
49 const char *chain_out_accept;
50 const char *chain_out_reject;
51
52 const char ipt_fname[] = "/etc/iptables";
53 FILE *ipt_file;
54
55
56 /*
57 struct {
58 } firewall_data;
59 */
60
61 // -----------------------------------------------------------------------------
62
63
64 void enable_ip_forward(void)
65 {
66 /*
67 ip_forward - BOOLEAN
68 0 - disabled (default)
69 not 0 - enabled
70
71 Forward Packets between interfaces.
72
73 This variable is special, its change resets all configuration
74 parameters to their default state (RFC1122 for hosts, RFC1812
75 for routers)
76 */
77 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
78 }
79
80
81 // -----------------------------------------------------------------------------
82
83 /*
84 static int ip2cclass(char *ipaddr, char *new, int count)
85 {
86 int ip[4];
87
88 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
89 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
90 }
91 */
92
93
94 static int dmz_dst(char *s)
95 {
96 struct in_addr ia;
97 char *p;
98 int n;
99
100 if (nvram_get_int("dmz_enable") <= 0) return 0;
101
102 p = nvram_safe_get("dmz_ipaddr");
103 if ((ia.s_addr = inet_addr(p)) == (in_addr_t)-1) {
104 if (((n = atoi(p)) <= 0) || (n >= 255)) return 0;
105 if (s) sprintf(s, "%s%d", lan_cclass, n);
106 return 1;
107 }
108
109 if (s) strcpy(s, inet_ntoa(ia));
110 return 1;
111 }
112
113 static void ipt_source(const char *s, char *src)
114 {
115 if ((*s) && (strlen(s) < 32)) sprintf(src, "-%s %s", strchr(s, '-') ? "m iprange --src-range" : "s", s);
116 else *src = 0;
117 }
118
119 /*
120 static void get_src(const char *nv, char *src)
121 {
122 char *p;
123
124 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
125 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
126 }
127 else {
128 *src = 0;
129 }
130 }
131 */
132
133 void ipt_write(const char *format, ...)
134 {
135 va_list args;
136
137 va_start(args, format);
138 vfprintf(ipt_file, format, args);
139 va_end(args);
140 }
141
142 // -----------------------------------------------------------------------------
143
144
145 int ipt_ipp2p(const char *v, char *opt)
146 {
147 int n = atoi(v);
148
149 if (n == 0) {
150 *opt = 0;
151 return 0;
152 }
153
154 strcpy(opt, "-m ipp2p ");
155 if ((n & 0xFFF) == 0xFFF) {
156 strcat(opt, "--ipp2p");
157 }
158 else {
159 // x12
160 if (n & 0x0001) strcat(opt, "--apple ");
161 if (n & 0x0002) strcat(opt, "--ares ");
162 if (n & 0x0004) strcat(opt, "--bit ");
163 if (n & 0x0008) strcat(opt, "--dc ");
164 if (n & 0x0010) strcat(opt, "--edk ");
165 if (n & 0x0020) strcat(opt, "--gnu ");
166 if (n & 0x0040) strcat(opt, "--kazaa ");
167 if (n & 0x0080) strcat(opt, "--mute ");
168 if (n & 0x0100) strcat(opt, "--soul ");
169 if (n & 0x0200) strcat(opt, "--waste ");
170 if (n & 0x0400) strcat(opt, "--winmx ");
171 if (n & 0x0800) strcat(opt, "--xdcc ");
172 }
173
174 modprobe("ipt_ipp2p");
175 return 1;
176 }
177
178
179 // -----------------------------------------------------------------------------
180
181
182 char **layer7_in;
183
184 // This L7 matches inbound traffic, caches the results, then the L7 outbound
185 // should read the cached result and set the appropriate marks -- zzz
186 void ipt_layer7_inbound(void)
187 {
188 int en;
189 char **p;
190
191 if (!layer7_in) return;
192
193 en = nvram_match("nf_l7in", "1");
194 if (en) {
195 ipt_write(
196 ":L7in - [0:0]\n"
197 "-A FORWARD -i %s -j L7in\n",
198 wanface);
199 }
200
201 p = layer7_in;
202 while (*p) {
203 if (en) ipt_write("-A L7in %s -j RETURN\n", *p);
204 free(*p);
205 ++p;
206 }
207 free(layer7_in);
208 layer7_in = NULL;
209 }
210
211 int ipt_layer7(const char *v, char *opt)
212 {
213 char s[128];
214 char *path;
215
216 *opt = 0;
217 if (*v == 0) return 0;
218 if (strlen(v) > 32) return -1;
219
220 path = "/etc/l7-extra";
221 sprintf(s, "%s/%s.pat", path, v);
222 if (!f_exists(s)) {
223 path = "/etc/l7-protocols";
224 sprintf(s, "%s/%s.pat", path, v);
225 if (!f_exists(s)) {
226 syslog(LOG_ERR, "L7 %s was not found", v);
227 return -1;
228 }
229 }
230
231 sprintf(opt, "-m layer7 --l7dir %s --l7proto %s", path, v);
232
233 if (nvram_match("nf_l7in", "1")) {
234 if (!layer7_in) layer7_in = calloc(51, sizeof(char *));
235 if (layer7_in) {
236 char **p;
237
238 p = layer7_in;
239 while (*p) {
240 if (strcmp(*p, opt) == 0) return 1;
241 ++p;
242 }
243 if (((p - layer7_in) / sizeof(char *)) < 50) *p = strdup(opt);
244 }
245 }
246
247 modprobe("ipt_layer7");
248 return 1;
249 }
250
251
252
253 // -----------------------------------------------------------------------------
254 // MANGLE
255 // -----------------------------------------------------------------------------
256
257 static void mangle_table(void)
258 {
259 int ttl;
260 char *p;
261
262 ipt_write(
263 "*mangle\n"
264 ":PREROUTING ACCEPT [0:0]\n"
265 ":OUTPUT ACCEPT [0:0]\n");
266
267 if (wanup) {
268 ipt_qos();
269
270 ttl = nvram_get_int("nf_ttl");
271 if (ttl != 0) {
272 modprobe("ipt_TTL");
273 if (ttl > 0) {
274 p = "in";
275 }
276 else {
277 ttl = -ttl;
278 p = "de";
279 }
280 ipt_write(
281 "-I PREROUTING -i %s -j TTL --ttl-%sc %d\n"
282 "-I POSTROUTING -o %s -j TTL --ttl-%sc %d\n",
283 wanface, p, ttl,
284 wanface, p, ttl);
285 }
286 }
287
288 ipt_write("COMMIT\n");
289 }
290
291
292
293 // -----------------------------------------------------------------------------
294 // NAT
295 // -----------------------------------------------------------------------------
296
297 static void nat_table(void)
298 {
299 char lanaddr[32];
300 char lanmask[32];
301 char dst[64];
302 char src[64];
303 char t[512];
304 char *p, *c;
305
306 ipt_write("*nat\n"
307 ":PREROUTING ACCEPT [0:0]\n"
308 ":POSTROUTING ACCEPT [0:0]\n"
309 ":OUTPUT ACCEPT [0:0]\n");
310 if (gateway_mode) {
311 strlcpy(lanaddr, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr));
312 strlcpy(lanmask, nvram_safe_get("lan_netmask"), sizeof(lanmask));
313
314 // Drop incoming packets which destination IP address is to our LAN side directly
315 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
316 wanface,
317 lanaddr, lanmask); // note: ipt will correct lanaddr
318
319 if (wanup) {
320 if (nvram_match("dns_intcpt", "1")) {
321 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
322 lanaddr, lanmask,
323 lanaddr, lanmask,
324 lanaddr);
325 }
326
327 // ICMP packets are always redirected to INPUT chains
328 ipt_write("-A PREROUTING -p icmp -d %s -j DNAT --to-destination %s\n", wanaddr, lanaddr);
329
330
331 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
332 p = t;
333 do {
334 if ((c = strchr(p, ',')) != NULL) *c = 0;
335 ipt_source(p, src);
336
337 if (remotemanage) {
338 ipt_write("-A PREROUTING -p tcp -m tcp %s -d %s --dport %s -j DNAT --to-destination %s:%d\n",
339 src,
340 wanaddr, nvram_safe_get("http_wanport"),
341 lanaddr, web_lanport);
342 }
343 if (nvram_get_int("sshd_remote")) {
344 ipt_write("-A PREROUTING %s -p tcp -m tcp -d %s --dport %s -j DNAT --to-destination %s:%s\n",
345 src,
346 wanaddr, nvram_safe_get("sshd_rport"),
347 lanaddr, nvram_safe_get("sshd_port"));
348 }
349
350 if (!c) break;
351 p = c + 1;
352 } while (*p);
353
354 ipt_forward(IPT_TABLE_NAT);
355 ipt_triggered(IPT_TABLE_NAT);
356 }
357
358 if (nvram_get_int("upnp_enable") & 3) {
359 ipt_write(":upnp - [0:0]\n");
360 if (wanup) {
361 // ! for loopback (all) to work
362 ipt_write("-A PREROUTING -d %s -j upnp\n", wanaddr);
363 }
364 else {
365 ipt_write("-A PREROUTING -i %s -j upnp\n", wanface);
366 }
367 }
368
369 if (wanup) {
370 if (dmz_dst(dst)) {
371 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
372 p = t;
373 do {
374 if ((c = strchr(p, ',')) != NULL) *c = 0;
375 ipt_source(p, src);
376 ipt_write("-A PREROUTING %s -d %s -j DNAT --to-destination %s\n", src, wanaddr, dst);
377 if (!c) break;
378 p = c + 1;
379 } while (*p);
380 }
381 }
382
383 if ((!wanup) || (nvram_get_int("net_snat") != 1)) {
384 ipt_write("-A POSTROUTING -o %s -j MASQUERADE\n", wanface);
385 }
386 else {
387 ipt_write("-A POSTROUTING -o %s -j SNAT --to-source %s\n", wanface, wanaddr);
388 }
389
390 switch (nvram_get_int("nf_loopback")) {
391 case 1: // 1 = forwarded-only
392 case 2: // 2 = disable
393 break;
394 default: // 0 = all (same as block_loopback=0)
395 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j MASQUERADE\n",
396 lanface,
397 lanaddr, lanmask,
398 lanaddr, lanmask);
399 break;
400 }
401 }
402 ipt_write("COMMIT\n");
403 }
404
405 // -----------------------------------------------------------------------------
406 // FILTER
407 // -----------------------------------------------------------------------------
408
409 static void filter_input(void)
410 {
411 char s[64];
412 char t[512];
413 char *en;
414 char *sec;
415 char *hit;
416 int n;
417 char *p, *c;
418
419 if ((nvram_get_int("nf_loopback") != 0) && (wanup)) { // 0 = all
420 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface, wanaddr);
421 }
422
423 ipt_write(
424 "-A INPUT -m state --state INVALID -j %s\n"
425 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
426 chain_in_drop);
427
428
429 strlcpy(s, nvram_safe_get("ne_shlimit"), sizeof(s));
430 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && ((n = atoi(en) & 3) != 0)) {
431 /*
432 ? what if the user uses the start button in GUI ?
433 if (nvram_get_int("telnetd_eas"))
434 if (nvram_get_int("sshd_eas"))
435 */
436 modprobe("ipt_recent");
437
438 ipt_write(
439 "-N shlimit\n"
440 "-A shlimit -m recent --set --name shlimit\n"
441 "-A shlimit -m recent --update --hitcount %s --seconds %s --name shlimit -j DROP\n",
442 hit, sec);
443
444 if (n & 1) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
445 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
446 }
447
448 ipt_write(
449 "-A INPUT -i %s -j ACCEPT\n"
450 "-A INPUT -i lo -j ACCEPT\n",
451 lanface);
452
453 // ICMP request from WAN interface
454 if (nvram_match("block_wan", "0")) {
455 ipt_write("-A INPUT -p icmp -j ACCEPT\n");
456 }
457
458
459 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
460 p = t;
461 do {
462 if ((c = strchr(p, ',')) != NULL) *c = 0;
463
464 ipt_source(p, s);
465
466 if (remotemanage) {
467 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %d -j %s\n",
468 s, nvram_safe_get("lan_ipaddr"), web_lanport, chain_in_accept);
469 }
470
471 if (nvram_get_int("sshd_remote")) {
472 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %s -j %s\n",
473 s, nvram_safe_get("lan_ipaddr"), nvram_safe_get("sshd_port"), chain_in_accept);
474 }
475
476 if (!c) break;
477 p = c + 1;
478 } while (*p);
479
480
481 // IGMP query from WAN interface
482 if (nvram_match("multicast_pass", "1")) {
483 ipt_write("-A INPUT -p igmp -j ACCEPT\n");
484 }
485
486 // Routing protocol, RIP, accept
487 if (nvram_invmatch("dr_wan_rx", "0")) {
488 ipt_write("-A INPUT -p udp -m udp --dport 520 -j ACCEPT\n");
489 }
490
491 // if logging
492 if (*chain_in_drop == 'l') {
493 ipt_write( "-A INPUT -j %s\n", chain_in_drop);
494 }
495
496 // default policy: DROP
497 }
498
499 // clamp TCP MSS to PMTU of WAN interface
500 static void clampmss(void)
501 {
502 int rmtu = nvram_get_int("wan_run_mtu");
503
504 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS ", rmtu - 39);
505 if (rmtu < 576) {
506 ipt_write("--clamp-mss-to-pmtu\n");
507 }
508 else {
509 ipt_write("--set-mss %d\n", rmtu - 40);
510 }
511 }
512
513 static void filter_forward(void)
514 {
515 char dst[64];
516 char src[64];
517 char t[512];
518 char *p, *c;
519
520 ipt_write(
521 "-A FORWARD -i %s -o %s -j ACCEPT\n" // accept all lan to lan
522 "-A FORWARD -m state --state INVALID -j DROP\n", // drop if INVALID state
523 lanface, lanface);
524
525 // clamp tcp mss to pmtu
526 clampmss();
527
528 if (wanup) {
529 ipt_restrictions();
530 ipt_layer7_inbound();
531 }
532
533 ipt_write(
534 ":wanin - [0:0]\n"
535 ":wanout - [0:0]\n"
536 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n" // already established or related (via helper)
537 "-A FORWARD -i %s -j wanin\n" // generic from wan
538 "-A FORWARD -o %s -j wanout\n" // generic to wan
539 "-A FORWARD -i %s -j %s\n", // from lan
540 wanface, wanface, lanface, chain_out_accept);
541
542 #ifdef USE_MINIUPNPD
543 if (nvram_get_int("upnp_enable") & 3) {
544 ipt_write(
545 ":upnp - [0:0]\n"
546 "-A FORWARD -i %s -j upnp\n",
547 wanface);
548 }
549 #else
550 if (nvram_get_int("upnp_enable")) {
551 ipt_write(
552 ":upnp - [0:0]\n"
553 "-A FORWARD -i %s -j upnp\n",
554 wanface);
555 }
556 #endif
557
558 if (wanup) {
559 if (nvram_match("multicast_pass", "1")) {
560 ipt_write("-A wanin -p udp -m udp -d 224.0.0.0/4 -j %s\n", chain_in_accept);
561 }
562 ipt_triggered(IPT_TABLE_FILTER);
563 ipt_forward(IPT_TABLE_FILTER);
564
565 if (dmz_dst(dst)) {
566 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
567 p = t;
568 do {
569 if ((c = strchr(p, ',')) != NULL) *c = 0;
570 ipt_source(p, src);
571 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", lanface, src, dst, chain_in_accept);
572 if (!c) break;
573 p = c + 1;
574 } while (*p);
575 }
576 }
577
578
579 // default policy: DROP
580 }
581
582 static void filter_table(void)
583 {
584 int n;
585 char limit[128];
586
587 ipt_write(
588 "*filter\n"
589 ":INPUT DROP [0:0]\n"
590 ":OUTPUT ACCEPT [0:0]\n"
591 );
592
593 n = nvram_get_int("log_limit");
594 if ((n >= 1) && (n <= 9999)) {
595 sprintf(limit, "-m limit --limit %d/m", n);
596 }
597 else {
598 limit[0] = 0;
599 }
600
601 if ((*chain_in_drop == 'l') || (*chain_out_drop == 'l')) {
602 ipt_write(
603 ":logdrop - [0:0]\n"
604 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \" --log-tcp-options --log-ip-options\n"
605 "-A logdrop -j DROP\n"
606 ":logreject - [0:0]\n"
607 "-A logreject %s -j LOG --log-prefix \"REJECT \" --log-tcp-options --log-ip-options\n"
608 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
609 limit, limit);
610 }
611 if ((*chain_in_accept == 'l') || (*chain_out_accept == 'l')) {
612 ipt_write(
613 ":logaccept - [0:0]\n"
614 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \" --log-tcp-options --log-ip-options\n"
615 "-A logaccept -j ACCEPT\n",
616 limit);
617 }
618
619 filter_input();
620
621 if ((gateway_mode) || (nvram_match("wk_mode_x", "1"))) {
622 ipt_write(":FORWARD DROP [0:0]\n");
623 filter_forward();
624 }
625 else {
626 ipt_write(":FORWARD ACCEPT [0:0]\n");
627 clampmss();
628 }
629 ipt_write("COMMIT\n");
630 }
631
632
633 // -----------------------------------------------------------------------------
634
635 int start_firewall(void)
636 {
637 DIR *dir;
638 struct dirent *dirent;
639 char s[256];
640 char *c;
641 int n;
642 int wanproto;
643
644 simple_lock("firewall");
645 simple_lock("restrictions");
646
647 wanproto = get_wan_proto();
648 wanup = check_wanup();
649
650
651 /*
652 block obviously spoofed IP addresses
653
654 rp_filter - BOOLEAN
655 1 - do source validation by reversed path, as specified in RFC1812
656 Recommended option for single homed hosts and stub network
657 routers. Could cause troubles for complicated (not loop free)
658 networks running a slow unreliable protocol (sort of RIP),
659 or using static routes.
660 0 - No source validation.
661 */
662 if ((dir = opendir("/proc/sys/net/ipv4/conf")) != NULL) {
663 while ((dirent = readdir(dir)) != NULL) {
664 sprintf(s, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent->d_name);
665 f_write_string(s, "1", 0, 0);
666 }
667 closedir(dir);
668 }
669
670 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
671
672 n = nvram_get_int("log_in");
673 chain_in_drop = (n & 1) ? "logdrop" : "DROP";
674 chain_in_accept = (n & 2) ? "logaccept" : "ACCEPT";
675
676 n = nvram_get_int("log_out");
677 chain_out_drop = (n & 1) ? "logdrop" : "DROP";
678 chain_out_reject = (n & 1) ? "logreject" : "REJECT --reject-with tcp-reset";
679 chain_out_accept = (n & 2) ? "logaccept" : "ACCEPT";
680
681 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
682
683 strlcpy(lanface, nvram_safe_get("lan_ifname"), IFNAMSIZ);
684
685 if ((wanproto == WP_PPTP) || (wanproto == WP_L2TP) || (wanproto == WP_PPPOE)) {
686 strcpy(wanface, "ppp+");
687 }
688 else {
689 strlcpy(wanface, nvram_safe_get("wan_ifname"), sizeof(wanface));
690 }
691
692 strlcpy(wanaddr, get_wanip(), sizeof(wanaddr));
693
694 strlcpy(s, nvram_safe_get("lan_ipaddr"), sizeof(s));
695 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
696 strlcpy(lan_cclass, s, sizeof(lan_cclass));
697
698 gateway_mode = !nvram_match("wk_mode", "router");
699 if (gateway_mode) {
700 /* Remote management */
701 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
702 nvram_invmatch("http_wanport", "0")) remotemanage = 1;
703 else remotemanage = 0;
704
705 if (nvram_match("remote_mgt_https", "1")) {
706 web_lanport = nvram_get_int("https_lanport");
707 if (web_lanport <= 0) web_lanport = 443;
708 }
709 else {
710 web_lanport = nvram_get_int("http_lanport");
711 if (web_lanport <= 0) web_lanport = 80;
712 }
713 }
714
715
716 if ((ipt_file = fopen(ipt_fname, "w")) == NULL) {
717 syslog(LOG_CRIT, "Unable to create iptables restore file");
718 simple_unlock("firewall");
719 return 0;
720 }
721
722 mangle_table();
723 nat_table();
724 filter_table();
725
726 fclose(ipt_file);
727 ipt_file = NULL;
728
729 #ifdef DEBUG_IPTFILE
730 if (debug_only) {
731 simple_unlock("firewall");
732 simple_unlock("restrictions");
733 return 0;
734 }
735 #endif
736
737 #ifdef USE_MINIUPNPD
738 if (nvram_get_int("upnp_enable") & 3) {
739 f_write("/etc/upnp/save", NULL, 0, 0, 0);
740 if (killall("miniupnpd", SIGUSR2) == 0) {
741 f_wait_notexists("/etc/upnp/save", 5);
742 }
743 }
744 #endif
745
746 if (eval("iptables-restore", (char *)ipt_fname) == 0) {
747 led(LED_DIAG, 0);
748 }
749 else {
750 sprintf(s, "%s.error", ipt_fname);
751 rename(ipt_fname, s);
752 syslog(LOG_CRIT, "Error while loading rules. See %s file.", s);
753 led(LED_DIAG, 1);
754
755 /*
756
757 -P INPUT DROP
758 -F INPUT
759 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
760 -A INPUT -i br0 -j ACCEPT
761
762 -P FORWARD DROP
763 -F FORWARD
764 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
765 -A FORWARD -i br0 -j ACCEPT
766
767 */
768 }
769
770 #ifdef USE_MINIUPNPD
771 if (nvram_get_int("upnp_enable") & 3) {
772 f_write("/etc/upnp/load", NULL, 0, 0, 0);
773 killall("miniupnpd", SIGUSR2);
774 }
775 #else
776 if (nvram_get_int("upnp_enable")) {
777 killall("upnp", SIGHUP);
778 }
779 #endif
780
781 simple_unlock("restrictions");
782 sched_restrictions();
783 enable_ip_forward();
784
785 led(LED_DMZ, dmz_dst(NULL));
786
787 modprobe_r("ipt_layer7");
788 modprobe_r("ipt_ipp2p");
789 modprobe_r("ipt_web");
790 modprobe_r("ipt_TTL");
791
792 run_nvscript("script_fire", NULL, 1);
793
794 simple_unlock("firewall");
795 return 0;
796 }
797
798 int stop_firewall(void)
799 {
800 led(LED_DMZ, 0);
801 return 0;
802 }
803
804 #ifdef DEBUG_IPTFILE
805 void create_test_iptfile(void)
806 {
807 debug_only = 1;
808 start_firewall();
809 debug_only = 0;
810 }
811 #endif
812
Tomato firmware and modifications.