d42f4731180af70e6d3f83ddfcdd636bbb9d1f6d
[tomato.git] / release / src / router / rc / firewall.c
1 /*
2
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
4
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
9
10 This software should be used as a reference only, and it not
11 intended for production use!
12
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
17
18 */
19 /*
20
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
23
24 */
25
26 #include "rc.h"
27
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
31
32 char wanface[IFNAMSIZ];
33 char lanface[IFNAMSIZ];
34 char lan_cclass[sizeof("xxx.xxx.xxx.")];
35 char wanaddr[sizeof("xxx.xxx.xxx.xxx")];
36 static int web_lanport;
37
38 #ifdef DEBUG_IPTFILE
39 static int debug_only = 0;
40 #endif
41
42 static int gateway_mode;
43 static int remotemanage;
44 static int wanup;
45
46 const char *chain_in_drop;
47 const char *chain_in_accept;
48 const char *chain_out_drop;
49 const char *chain_out_accept;
50 const char *chain_out_reject;
51
52 const char ipt_fname[] = "/etc/iptables";
53 FILE *ipt_file;
54
55
56 /*
57 struct {
58 } firewall_data;
59 */
60
61 // -----------------------------------------------------------------------------
62
63
64 void enable_ip_forward(void)
65 {
66 /*
67 ip_forward - BOOLEAN
68 0 - disabled (default)
69 not 0 - enabled
70
71 Forward Packets between interfaces.
72
73 This variable is special, its change resets all configuration
74 parameters to their default state (RFC1122 for hosts, RFC1812
75 for routers)
76 */
77 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
78 }
79
80
81 // -----------------------------------------------------------------------------
82
83 /*
84 static int ip2cclass(char *ipaddr, char *new, int count)
85 {
86 int ip[4];
87
88 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
89 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
90 }
91 */
92
93
94 static int dmz_dst(char *s)
95 {
96 struct in_addr ia;
97 char *p;
98 int n;
99
100 if (nvram_get_int("dmz_enable") <= 0) return 0;
101
102 p = nvram_safe_get("dmz_ipaddr");
103 if ((ia.s_addr = inet_addr(p)) == (in_addr_t)-1) {
104 if (((n = atoi(p)) <= 0) || (n >= 255)) return 0;
105 if (s) sprintf(s, "%s%d", lan_cclass, n);
106 return 1;
107 }
108
109 if (s) strcpy(s, inet_ntoa(ia));
110 return 1;
111 }
112
113 static void ipt_source(const char *s, char *src)
114 {
115 if ((*s) && (strlen(s) < 32)) sprintf(src, "-%s %s", strchr(s, '-') ? "m iprange --src-range" : "s", s);
116 else *src = 0;
117 }
118
119 /*
120 static void get_src(const char *nv, char *src)
121 {
122 char *p;
123
124 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
125 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
126 }
127 else {
128 *src = 0;
129 }
130 }
131 */
132
133 void ipt_write(const char *format, ...)
134 {
135 va_list args;
136
137 va_start(args, format);
138 vfprintf(ipt_file, format, args);
139 va_end(args);
140 }
141
142 // -----------------------------------------------------------------------------
143
144
145 int ipt_ipp2p(const char *v, char *opt)
146 {
147 int n = atoi(v);
148
149 if (n == 0) {
150 *opt = 0;
151 return 0;
152 }
153
154 strcpy(opt, "-m ipp2p ");
155 if ((n & 0xFFF) == 0xFFF) {
156 strcat(opt, "--ipp2p");
157 }
158 else {
159 // x12
160 if (n & 0x0001) strcat(opt, "--apple ");
161 if (n & 0x0002) strcat(opt, "--ares ");
162 if (n & 0x0004) strcat(opt, "--bit ");
163 if (n & 0x0008) strcat(opt, "--dc ");
164 if (n & 0x0010) strcat(opt, "--edk ");
165 if (n & 0x0020) strcat(opt, "--gnu ");
166 if (n & 0x0040) strcat(opt, "--kazaa ");
167 if (n & 0x0080) strcat(opt, "--mute ");
168 if (n & 0x0100) strcat(opt, "--soul ");
169 if (n & 0x0200) strcat(opt, "--waste ");
170 if (n & 0x0400) strcat(opt, "--winmx ");
171 if (n & 0x0800) strcat(opt, "--xdcc ");
172 }
173
174 modprobe("ipt_ipp2p");
175 return 1;
176 }
177
178
179 // -----------------------------------------------------------------------------
180
181
182 char **layer7_in;
183
184 // This L7 matches inbound traffic, caches the results, then the L7 outbound
185 // should read the cached result and set the appropriate marks -- zzz
186 void ipt_layer7_inbound(void)
187 {
188 int en;
189 char **p;
190
191 if (!layer7_in) return;
192
193 en = nvram_match("nf_l7in", "1");
194 if (en) {
195 ipt_write(
196 ":L7in - [0:0]\n"
197 "-A FORWARD -i %s -j L7in\n",
198 wanface);
199 }
200
201 p = layer7_in;
202 while (*p) {
203 if (en) ipt_write("-A L7in %s -j RETURN\n", *p);
204 free(*p);
205 ++p;
206 }
207 free(layer7_in);
208 layer7_in = NULL;
209 }
210
211 int ipt_layer7(const char *v, char *opt)
212 {
213 char s[128];
214 char *path;
215
216 *opt = 0;
217 if (*v == 0) return 0;
218 if (strlen(v) > 32) return -1;
219
220 path = "/etc/l7-extra";
221 sprintf(s, "%s/%s.pat", path, v);
222 if (!f_exists(s)) {
223 path = "/etc/l7-protocols";
224 sprintf(s, "%s/%s.pat", path, v);
225 if (!f_exists(s)) {
226 syslog(LOG_ERR, "L7 %s was not found", v);
227 return -1;
228 }
229 }
230
231 sprintf(opt, "-m layer7 --l7dir %s --l7proto %s", path, v);
232
233 if (nvram_match("nf_l7in", "1")) {
234 if (!layer7_in) layer7_in = calloc(51, sizeof(char *));
235 if (layer7_in) {
236 char **p;
237
238 p = layer7_in;
239 while (*p) {
240 if (strcmp(*p, opt) == 0) return 1;
241 ++p;
242 }
243 if (((p - layer7_in) / sizeof(char *)) < 50) *p = strdup(opt);
244 }
245 }
246
247 modprobe("ipt_layer7");
248 return 1;
249 }
250
251
252
253 // -----------------------------------------------------------------------------
254 // MANGLE
255 // -----------------------------------------------------------------------------
256
257 static void mangle_table(void)
258 {
259 int ttl;
260 char *p;
261
262 ipt_write(
263 "*mangle\n"
264 ":PREROUTING ACCEPT [0:0]\n"
265 ":OUTPUT ACCEPT [0:0]\n");
266
267 if (wanup) {
268 ipt_qos();
269
270 ttl = nvram_get_int("nf_ttl");
271 if (ttl != 0) {
272 modprobe("ipt_TTL");
273 if (ttl > 0) {
274 p = "in";
275 }
276 else {
277 ttl = -ttl;
278 p = "de";
279 }
280 ipt_write(
281 "-I PREROUTING -i %s -j TTL --ttl-%sc %d\n"
282 "-I POSTROUTING -o %s -j TTL --ttl-%sc %d\n",
283 wanface, p, ttl,
284 wanface, p, ttl);
285 }
286 }
287
288 ipt_write("COMMIT\n");
289 }
290
291
292
293 // -----------------------------------------------------------------------------
294 // NAT
295 // -----------------------------------------------------------------------------
296
297 static void nat_table(void)
298 {
299 char lanaddr[32];
300 char lanmask[32];
301 char dst[64];
302 char src[64];
303 char t[512];
304 char *p, *c;
305
306 ipt_write("*nat\n"
307 ":PREROUTING ACCEPT [0:0]\n"
308 ":POSTROUTING ACCEPT [0:0]\n"
309 ":OUTPUT ACCEPT [0:0]\n");
310 if (gateway_mode) {
311 strlcpy(lanaddr, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr));
312 strlcpy(lanmask, nvram_safe_get("lan_netmask"), sizeof(lanmask));
313
314 // Drop incoming packets which destination IP address is to our LAN side directly
315 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
316 wanface,
317 lanaddr, lanmask); // note: ipt will correct lanaddr
318
319 if (wanup) {
320 if (nvram_match("dns_intcpt", "1")) {
321 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
322 lanaddr, lanmask,
323 lanaddr, lanmask,
324 lanaddr);
325 }
326
327 // ICMP packets are always redirected to INPUT chains
328 ipt_write("-A PREROUTING -p icmp -d %s -j DNAT --to-destination %s\n", wanaddr, lanaddr);
329
330
331 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
332 p = t;
333 do {
334 if ((c = strchr(p, ',')) != NULL) *c = 0;
335 ipt_source(p, src);
336
337 if (remotemanage) {
338 ipt_write("-A PREROUTING -p tcp -m tcp %s -d %s --dport %s -j DNAT --to-destination %s:%d\n",
339 src,
340 wanaddr, nvram_safe_get("http_wanport"),
341 lanaddr, web_lanport);
342 }
343 if (nvram_get_int("sshd_remote")) {
344 ipt_write("-A PREROUTING %s -p tcp -m tcp -d %s --dport %s -j DNAT --to-destination %s:%s\n",
345 src,
346 wanaddr, nvram_safe_get("sshd_rport"),
347 lanaddr, nvram_safe_get("sshd_port"));
348 }
349
350 if (!c) break;
351 p = c + 1;
352 } while (*p);
353
354 ipt_forward(IPT_TABLE_NAT);
355 ipt_triggered(IPT_TABLE_NAT);
356 }
357
358 if (nvram_get_int("upnp_enable") & 3) {
359 ipt_write(":upnp - [0:0]\n");
360 if (wanup) {
361 // ! for loopback (all) to work
362 ipt_write("-A PREROUTING -d %s -j upnp\n", wanaddr);
363 }
364 else {
365 ipt_write("-A PREROUTING -i %s -j upnp\n", wanface);
366 }
367 }
368
369 if (wanup) {
370 if (dmz_dst(dst)) {
371 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
372 p = t;
373 do {
374 if ((c = strchr(p, ',')) != NULL) *c = 0;
375 ipt_source(p, src);
376 ipt_write("-A PREROUTING %s -d %s -j DNAT --to-destination %s\n", src, wanaddr, dst);
377 if (!c) break;
378 p = c + 1;
379 } while (*p);
380 }
381 }
382
383 if ((!wanup) || (nvram_get_int("net_snat") != 1)) {
384 ipt_write("-A POSTROUTING -o %s -j MASQUERADE\n", wanface);
385 }
386 else {
387 ipt_write("-A POSTROUTING -o %s -j SNAT --to-source %s\n", wanface, wanaddr);
388 }
389
390 switch (nvram_get_int("nf_loopback")) {
391 case 1: // 1 = forwarded-only
392 case 2: // 2 = disable
393 break;
394 default: // 0 = all (same as block_loopback=0)
395 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j MASQUERADE\n",
396 lanface,
397 lanaddr, lanmask,
398 lanaddr, lanmask);
399 break;
400 }
401 }
402 ipt_write("COMMIT\n");
403 }
404
405 // -----------------------------------------------------------------------------
406 // FILTER
407 // -----------------------------------------------------------------------------
408
409 static void filter_input(void)
410 {
411 char s[64];
412 char t[512];
413 char *en;
414 char *sec;
415 char *hit;
416 int n;
417 char *p, *c;
418
419 if ((nvram_get_int("nf_loopback") != 0) && (wanup)) { // 0 = all
420 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface, wanaddr);
421 }
422
423 ipt_write(
424 "-A INPUT -m state --state INVALID -j %s\n"
425 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
426 chain_in_drop);
427
428
429 strlcpy(s, nvram_safe_get("ne_shlimit"), sizeof(s));
430 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && ((n = atoi(en) & 3) != 0)) {
431 /*
432 ? what if the user uses the start button in GUI ?
433 if (nvram_get_int("telnetd_eas"))
434 if (nvram_get_int("sshd_eas"))
435 */
436 modprobe("ipt_recent");
437
438 ipt_write(
439 "-N shlimit\n"
440 "-A shlimit -m recent --set --name shlimit\n"
441 "-A shlimit -m recent --update --hitcount %s --seconds %s --name shlimit -j DROP\n",
442 hit, sec);
443
444 if (n & 1) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
445 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
446 }
447
448 ipt_write(
449 "-A INPUT -i %s -j ACCEPT\n"
450 "-A INPUT -i lo -j ACCEPT\n",
451 lanface);
452
453 // ICMP request from WAN interface
454 if (nvram_match("block_wan", "0")) {
455 ipt_write("-A INPUT -p icmp -j ACCEPT\n");
456 }
457
458
459 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
460 p = t;
461 do {
462 if ((c = strchr(p, ',')) != NULL) *c = 0;
463
464 ipt_source(p, s);
465
466 if (remotemanage) {
467 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %d -j %s\n",
468 s, nvram_safe_get("lan_ipaddr"), web_lanport, chain_in_accept);
469 }
470
471 if (nvram_get_int("sshd_remote")) {
472 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %s -j %s\n",
473 s, nvram_safe_get("lan_ipaddr"), nvram_safe_get("sshd_port"), chain_in_accept);
474 }
475
476 if (!c) break;
477 p = c + 1;
478 } while (*p);
479
480
481 // IGMP query from WAN interface
482 if (nvram_match("multicast_pass", "1")) {
483 ipt_write("-A INPUT -p igmp -j ACCEPT\n");
484 }
485
486 // Routing protocol, RIP, accept
487 if (nvram_invmatch("dr_wan_rx", "0")) {
488 ipt_write("-A INPUT -p udp -m udp --dport 520 -j ACCEPT\n");
489 }
490
491 // if logging
492 if (*chain_in_drop == 'l') {
493 ipt_write( "-A INPUT -j %s\n", chain_in_drop);
494 }
495
496 // default policy: DROP
497 }
498
499 // clamp TCP MSS to PMTU of WAN interface
500 static void clampmss(void)
501 {
502 int rmtu = nvram_get_int("wan_run_mtu");
503
504 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS ", rmtu - 39);
505 if (rmtu < 576) {
506 ipt_write("--clamp-mss-to-pmtu\n");
507 }
508 else {
509 ipt_write("--set-mss %d\n", rmtu - 40);
510 }
511 }
512
513 static void filter_forward(void)
514 {
515 char dst[64];
516 char src[64];
517 char t[512];
518 char *p, *c;
519
520 ipt_write(
521 "-A FORWARD -i %s -o %s -j ACCEPT\n" // accept all lan to lan
522 "-A FORWARD -m state --state INVALID -j DROP\n", // drop if INVALID state
523 lanface, lanface);
524
525 // clamp tcp mss to pmtu
526 clampmss();
527
528 if (wanup) {
529 ipt_restrictions();
530 ipt_layer7_inbound();
531 }
532
533 ipt_write(
534 ":wanin - [0:0]\n"
535 ":wanout - [0:0]\n"
536 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n" // already established or related (via helper)
537 "-A FORWARD -i %s -j wanin\n" // generic from wan
538 "-A FORWARD -o %s -j wanout\n" // generic to wan
539 "-A FORWARD -i %s -j %s\n", // from lan
540 wanface, wanface, lanface, chain_out_accept);
541
542 if (nvram_get_int("upnp_enable") & 3) {
543 ipt_write(
544 ":upnp - [0:0]\n"
545 "-A FORWARD -i %s -j upnp\n",
546 wanface);
547 }
548
549 if (wanup) {
550 if (nvram_match("multicast_pass", "1")) {
551 ipt_write("-A wanin -p udp -m udp -d 224.0.0.0/4 -j %s\n", chain_in_accept);
552 }
553 ipt_triggered(IPT_TABLE_FILTER);
554 ipt_forward(IPT_TABLE_FILTER);
555
556 if (dmz_dst(dst)) {
557 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
558 p = t;
559 do {
560 if ((c = strchr(p, ',')) != NULL) *c = 0;
561 ipt_source(p, src);
562 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", lanface, src, dst, chain_in_accept);
563 if (!c) break;
564 p = c + 1;
565 } while (*p);
566 }
567 }
568
569
570 // default policy: DROP
571 }
572
573 static void filter_table(void)
574 {
575 int n;
576 char limit[128];
577
578 ipt_write(
579 "*filter\n"
580 ":INPUT DROP [0:0]\n"
581 ":OUTPUT ACCEPT [0:0]\n"
582 );
583
584 n = nvram_get_int("log_limit");
585 if ((n >= 1) && (n <= 9999)) {
586 sprintf(limit, "-m limit --limit %d/m", n);
587 }
588 else {
589 limit[0] = 0;
590 }
591
592 if ((*chain_in_drop == 'l') || (*chain_out_drop == 'l')) {
593 ipt_write(
594 ":logdrop - [0:0]\n"
595 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \" --log-tcp-options --log-ip-options\n"
596 "-A logdrop -j DROP\n"
597 ":logreject - [0:0]\n"
598 "-A logreject %s -j LOG --log-prefix \"REJECT \" --log-tcp-options --log-ip-options\n"
599 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
600 limit, limit);
601 }
602 if ((*chain_in_accept == 'l') || (*chain_out_accept == 'l')) {
603 ipt_write(
604 ":logaccept - [0:0]\n"
605 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \" --log-tcp-options --log-ip-options\n"
606 "-A logaccept -j ACCEPT\n",
607 limit);
608 }
609
610 filter_input();
611
612 if ((gateway_mode) || (nvram_match("wk_mode_x", "1"))) {
613 ipt_write(":FORWARD DROP [0:0]\n");
614 filter_forward();
615 }
616 else {
617 ipt_write(":FORWARD ACCEPT [0:0]\n");
618 clampmss();
619 }
620 ipt_write("COMMIT\n");
621 }
622
623
624 // -----------------------------------------------------------------------------
625
626 int start_firewall(void)
627 {
628 DIR *dir;
629 struct dirent *dirent;
630 char s[256];
631 char *c;
632 int n;
633 int wanproto;
634
635 simple_lock("firewall");
636 simple_lock("restrictions");
637
638 wanproto = get_wan_proto();
639 wanup = check_wanup();
640
641
642 /*
643 block obviously spoofed IP addresses
644
645 rp_filter - BOOLEAN
646 1 - do source validation by reversed path, as specified in RFC1812
647 Recommended option for single homed hosts and stub network
648 routers. Could cause troubles for complicated (not loop free)
649 networks running a slow unreliable protocol (sort of RIP),
650 or using static routes.
651 0 - No source validation.
652 */
653 if ((dir = opendir("/proc/sys/net/ipv4/conf")) != NULL) {
654 while ((dirent = readdir(dir)) != NULL) {
655 sprintf(s, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent->d_name);
656 f_write_string(s, "1", 0, 0);
657 }
658 closedir(dir);
659 }
660
661 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
662
663 n = nvram_get_int("log_in");
664 chain_in_drop = (n & 1) ? "logdrop" : "DROP";
665 chain_in_accept = (n & 2) ? "logaccept" : "ACCEPT";
666
667 n = nvram_get_int("log_out");
668 chain_out_drop = (n & 1) ? "logdrop" : "DROP";
669 chain_out_reject = (n & 1) ? "logreject" : "REJECT --reject-with tcp-reset";
670 chain_out_accept = (n & 2) ? "logaccept" : "ACCEPT";
671
672 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
673
674 strlcpy(lanface, nvram_safe_get("lan_ifname"), IFNAMSIZ);
675
676 if ((wanproto == WP_PPTP) || (wanproto == WP_L2TP) || (wanproto == WP_PPPOE)) {
677 strcpy(wanface, "ppp+");
678 }
679 else {
680 strlcpy(wanface, nvram_safe_get("wan_ifname"), sizeof(wanface));
681 }
682
683 strlcpy(wanaddr, get_wanip(), sizeof(wanaddr));
684
685 strlcpy(s, nvram_safe_get("lan_ipaddr"), sizeof(s));
686 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
687 strlcpy(lan_cclass, s, sizeof(lan_cclass));
688
689 gateway_mode = !nvram_match("wk_mode", "router");
690 if (gateway_mode) {
691 /* Remote management */
692 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
693 nvram_invmatch("http_wanport", "0")) remotemanage = 1;
694 else remotemanage = 0;
695
696 if (nvram_match("remote_mgt_https", "1")) {
697 web_lanport = nvram_get_int("https_lanport");
698 if (web_lanport <= 0) web_lanport = 443;
699 }
700 else {
701 web_lanport = nvram_get_int("http_lanport");
702 if (web_lanport <= 0) web_lanport = 80;
703 }
704 }
705
706
707 if ((ipt_file = fopen(ipt_fname, "w")) == NULL) {
708 syslog(LOG_CRIT, "Unable to create iptables restore file");
709 simple_unlock("firewall");
710 return 0;
711 }
712
713 mangle_table();
714 nat_table();
715 filter_table();
716
717 fclose(ipt_file);
718 ipt_file = NULL;
719
720 #ifdef DEBUG_IPTFILE
721 if (debug_only) {
722 simple_unlock("firewall");
723 simple_unlock("restrictions");
724 return 0;
725 }
726 #endif
727
728 if (nvram_get_int("upnp_enable") & 3) {
729 f_write("/etc/upnp/save", NULL, 0, 0, 0);
730 if (killall("miniupnpd", SIGUSR2) == 0) {
731 f_wait_notexists("/etc/upnp/save", 5);
732 }
733 }
734
735 if (eval("iptables-restore", (char *)ipt_fname) == 0) {
736 led(LED_DIAG, 0);
737 }
738 else {
739 sprintf(s, "%s.error", ipt_fname);
740 rename(ipt_fname, s);
741 syslog(LOG_CRIT, "Error while loading rules. See %s file.", s);
742 led(LED_DIAG, 1);
743
744 /*
745
746 -P INPUT DROP
747 -F INPUT
748 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
749 -A INPUT -i br0 -j ACCEPT
750
751 -P FORWARD DROP
752 -F FORWARD
753 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
754 -A FORWARD -i br0 -j ACCEPT
755
756 */
757 }
758
759 if (nvram_get_int("upnp_enable") & 3) {
760 f_write("/etc/upnp/load", NULL, 0, 0, 0);
761 killall("miniupnpd", SIGUSR2);
762 }
763
764 simple_unlock("restrictions");
765 sched_restrictions();
766 enable_ip_forward();
767
768 led(LED_DMZ, dmz_dst(NULL));
769
770 modprobe_r("ipt_layer7");
771 modprobe_r("ipt_ipp2p");
772 modprobe_r("ipt_web");
773 modprobe_r("ipt_TTL");
774
775 run_nvscript("script_fire", NULL, 1);
776
777 simple_unlock("firewall");
778 return 0;
779 }
780
781 int stop_firewall(void)
782 {
783 led(LED_DMZ, 0);
784 return 0;
785 }
786
787 #ifdef DEBUG_IPTFILE
788 void create_test_iptfile(void)
789 {
790 debug_only = 1;
791 start_firewall();
792 debug_only = 0;
793 }
794 #endif
795