search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Tomato 1.26
[tomato.git] / release / src / router / rc / firewall.c
blob57346611b5e3f18d21e33f4d8f741a94f20f90d3
1 /*
2
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
4
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
9
10 This software should be used as a reference only, and it not
11 intended for production use!
12
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
17
18 */
19 /*
20
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
23
24 */
25
26 #include "rc.h"
27
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
31
32 char wanface[IFNAMSIZ];
33 char lanface[IFNAMSIZ];
34 char lan_cclass[sizeof("xxx.xxx.xxx.")];
35 char wanaddr[sizeof("xxx.xxx.xxx.xxx")];
36 static int web_lanport;
37
38 #ifdef DEBUG_IPTFILE
39 static int debug_only = 0;
40 #endif
41
42 static int gateway_mode;
43 static int remotemanage;
44 static int wanup;
45
46 const char *chain_in_drop;
47 const char *chain_in_accept;
48 const char *chain_out_drop;
49 const char *chain_out_accept;
50 const char *chain_out_reject;
51
52 const char ipt_fname[] = "/etc/iptables";
53 FILE *ipt_file;
54
55
56 /*
57 struct {
58 } firewall_data;
59 */
60
61 // -----------------------------------------------------------------------------
62
63
64 void enable_ip_forward(void)
65 {
66 /*
67 ip_forward - BOOLEAN
68 0 - disabled (default)
69 not 0 - enabled
70
71 Forward Packets between interfaces.
72
73 This variable is special, its change resets all configuration
74 parameters to their default state (RFC1122 for hosts, RFC1812
75 for routers)
76 */
77 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
78 }
79
80
81 // -----------------------------------------------------------------------------
82
83 /*
84 static int ip2cclass(char *ipaddr, char *new, int count)
85 {
86 int ip[4];
87
88 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
89 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
90 }
91 */
92
93
94 static int dmz_dst(char *s)
95 {
96 struct in_addr ia;
97 char *p;
98 int n;
99
100 if (nvram_get_int("dmz_enable") <= 0) return 0;
101
102 p = nvram_safe_get("dmz_ipaddr");
103 if ((ia.s_addr = inet_addr(p)) == (in_addr_t)-1) {
104 if (((n = atoi(p)) <= 0) || (n >= 255)) return 0;
105 if (s) sprintf(s, "%s%d", lan_cclass, n);
106 return 1;
107 }
108
109 if (s) strcpy(s, inet_ntoa(ia));
110 return 1;
111 }
112
113 static void ipt_source(const char *s, char *src)
114 {
115 char p[32];
116
117 if ((*s) && (strlen(s) < 32))
118 {
119 if (sscanf(s, "%[0-9.]-%[0-9.]", p, p) == 2)
120 sprintf(src, "-m iprange --src-range %s", s);
121 else
122 sprintf(src, "-s %s", s);
123 }
124 else
125 *src = 0;
126 }
127
128 /*
129 static void get_src(const char *nv, char *src)
130 {
131 char *p;
132
133 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
134 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
135 }
136 else {
137 *src = 0;
138 }
139 }
140 */
141
142 void ipt_write(const char *format, ...)
143 {
144 va_list args;
145
146 va_start(args, format);
147 vfprintf(ipt_file, format, args);
148 va_end(args);
149 }
150
151 // -----------------------------------------------------------------------------
152
153
154 int ipt_ipp2p(const char *v, char *opt)
155 {
156 int n = atoi(v);
157
158 if (n == 0) {
159 *opt = 0;
160 return 0;
161 }
162
163 strcpy(opt, "-m ipp2p ");
164 if ((n & 0xFFF) == 0xFFF) {
165 strcat(opt, "--ipp2p");
166 }
167 else {
168 // x12
169 if (n & 0x0001) strcat(opt, "--apple ");
170 if (n & 0x0002) strcat(opt, "--ares ");
171 if (n & 0x0004) strcat(opt, "--bit ");
172 if (n & 0x0008) strcat(opt, "--dc ");
173 if (n & 0x0010) strcat(opt, "--edk ");
174 if (n & 0x0020) strcat(opt, "--gnu ");
175 if (n & 0x0040) strcat(opt, "--kazaa ");
176 if (n & 0x0080) strcat(opt, "--mute ");
177 if (n & 0x0100) strcat(opt, "--soul ");
178 if (n & 0x0200) strcat(opt, "--waste ");
179 if (n & 0x0400) strcat(opt, "--winmx ");
180 if (n & 0x0800) strcat(opt, "--xdcc ");
181 }
182
183 modprobe("ipt_ipp2p");
184 return 1;
185 }
186
187
188 // -----------------------------------------------------------------------------
189
190
191 char **layer7_in;
192
193 // This L7 matches inbound traffic, caches the results, then the L7 outbound
194 // should read the cached result and set the appropriate marks -- zzz
195 void ipt_layer7_inbound(void)
196 {
197 int en;
198 char **p;
199
200 if (!layer7_in) return;
201
202 en = nvram_match("nf_l7in", "1");
203 if (en) {
204 ipt_write(
205 ":L7in - [0:0]\n"
206 "-A FORWARD -i %s -j L7in\n",
207 wanface);
208 }
209
210 p = layer7_in;
211 while (*p) {
212 if (en) ipt_write("-A L7in %s -j RETURN\n", *p);
213 free(*p);
214 ++p;
215 }
216 free(layer7_in);
217 layer7_in = NULL;
218 }
219
220 int ipt_layer7(const char *v, char *opt)
221 {
222 char s[128];
223 char *path;
224
225 *opt = 0;
226 if (*v == 0) return 0;
227 if (strlen(v) > 32) return -1;
228
229 path = "/etc/l7-extra";
230 sprintf(s, "%s/%s.pat", path, v);
231 if (!f_exists(s)) {
232 path = "/etc/l7-protocols";
233 sprintf(s, "%s/%s.pat", path, v);
234 if (!f_exists(s)) {
235 syslog(LOG_ERR, "L7 %s was not found", v);
236 return -1;
237 }
238 }
239
240 sprintf(opt, "-m layer7 --l7dir %s --l7proto %s", path, v);
241
242 if (nvram_match("nf_l7in", "1")) {
243 if (!layer7_in) layer7_in = calloc(51, sizeof(char *));
244 if (layer7_in) {
245 char **p;
246
247 p = layer7_in;
248 while (*p) {
249 if (strcmp(*p, opt) == 0) return 1;
250 ++p;
251 }
252 if (((p - layer7_in) / sizeof(char *)) < 50) *p = strdup(opt);
253 }
254 }
255
256 modprobe("ipt_layer7");
257 return 1;
258 }
259
260
261
262 // -----------------------------------------------------------------------------
263 // MANGLE
264 // -----------------------------------------------------------------------------
265
266 static void mangle_table(void)
267 {
268 int ttl;
269 char *p;
270
271 ipt_write(
272 "*mangle\n"
273 ":PREROUTING ACCEPT [0:0]\n"
274 ":OUTPUT ACCEPT [0:0]\n");
275
276 if (wanup) {
277 ipt_qos();
278
279 ttl = nvram_get_int("nf_ttl");
280 if (ttl != 0) {
281 modprobe("ipt_TTL");
282 if (ttl > 0) {
283 p = "in";
284 }
285 else {
286 ttl = -ttl;
287 p = "de";
288 }
289 ipt_write(
290 "-I PREROUTING -i %s -j TTL --ttl-%sc %d\n"
291 "-I POSTROUTING -o %s -j TTL --ttl-%sc %d\n",
292 wanface, p, ttl,
293 wanface, p, ttl);
294 }
295 }
296
297 ipt_write("COMMIT\n");
298 }
299
300
301
302 // -----------------------------------------------------------------------------
303 // NAT
304 // -----------------------------------------------------------------------------
305
306 static void nat_table(void)
307 {
308 char lanaddr[32];
309 char lanmask[32];
310 char dst[64];
311 char src[64];
312 char t[512];
313 char *p, *c;
314
315 ipt_write("*nat\n"
316 ":PREROUTING ACCEPT [0:0]\n"
317 ":POSTROUTING ACCEPT [0:0]\n"
318 ":OUTPUT ACCEPT [0:0]\n");
319 if (gateway_mode) {
320 strlcpy(lanaddr, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr));
321 strlcpy(lanmask, nvram_safe_get("lan_netmask"), sizeof(lanmask));
322
323 // Drop incoming packets which destination IP address is to our LAN side directly
324 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
325 wanface,
326 lanaddr, lanmask); // note: ipt will correct lanaddr
327
328 if (wanup) {
329 if (nvram_match("dns_intcpt", "1")) {
330 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
331 lanaddr, lanmask,
332 lanaddr, lanmask,
333 lanaddr);
334 }
335
336 // ICMP packets are always redirected to INPUT chains
337 ipt_write("-A PREROUTING -p icmp -d %s -j DNAT --to-destination %s\n", wanaddr, lanaddr);
338
339
340 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
341 p = t;
342 do {
343 if ((c = strchr(p, ',')) != NULL) *c = 0;
344 ipt_source(p, src);
345
346 if (remotemanage) {
347 ipt_write("-A PREROUTING -p tcp -m tcp %s -d %s --dport %s -j DNAT --to-destination %s:%d\n",
348 src,
349 wanaddr, nvram_safe_get("http_wanport"),
350 lanaddr, web_lanport);
351 }
352 if (nvram_get_int("sshd_remote")) {
353 ipt_write("-A PREROUTING %s -p tcp -m tcp -d %s --dport %s -j DNAT --to-destination %s:%s\n",
354 src,
355 wanaddr, nvram_safe_get("sshd_rport"),
356 lanaddr, nvram_safe_get("sshd_port"));
357 }
358
359 if (!c) break;
360 p = c + 1;
361 } while (*p);
362
363 ipt_forward(IPT_TABLE_NAT);
364 ipt_triggered(IPT_TABLE_NAT);
365 }
366
367 if (nvram_get_int("upnp_enable") & 3) {
368 ipt_write(":upnp - [0:0]\n");
369 if (wanup) {
370 // ! for loopback (all) to work
371 ipt_write("-A PREROUTING -d %s -j upnp\n", wanaddr);
372 }
373 else {
374 ipt_write("-A PREROUTING -i %s -j upnp\n", wanface);
375 }
376 }
377
378 if (wanup) {
379 if (dmz_dst(dst)) {
380 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
381 p = t;
382 do {
383 if ((c = strchr(p, ',')) != NULL) *c = 0;
384 ipt_source(p, src);
385 ipt_write("-A PREROUTING %s -d %s -j DNAT --to-destination %s\n", src, wanaddr, dst);
386 if (!c) break;
387 p = c + 1;
388 } while (*p);
389 }
390 }
391
392 if ((!wanup) || (nvram_get_int("net_snat") != 1)) {
393 ipt_write("-A POSTROUTING -o %s -j MASQUERADE\n", wanface);
394 }
395 else {
396 ipt_write("-A POSTROUTING -o %s -j SNAT --to-source %s\n", wanface, wanaddr);
397 }
398
399 switch (nvram_get_int("nf_loopback")) {
400 case 1: // 1 = forwarded-only
401 case 2: // 2 = disable
402 break;
403 default: // 0 = all (same as block_loopback=0)
404 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j MASQUERADE\n",
405 lanface,
406 lanaddr, lanmask,
407 lanaddr, lanmask);
408 break;
409 }
410 }
411 ipt_write("COMMIT\n");
412 }
413
414 // -----------------------------------------------------------------------------
415 // FILTER
416 // -----------------------------------------------------------------------------
417
418 static void filter_input(void)
419 {
420 char s[64];
421 char t[512];
422 char *en;
423 char *sec;
424 char *hit;
425 int n;
426 char *p, *c;
427
428 if ((nvram_get_int("nf_loopback") != 0) && (wanup)) { // 0 = all
429 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface, wanaddr);
430 }
431
432 ipt_write(
433 "-A INPUT -m state --state INVALID -j %s\n"
434 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
435 chain_in_drop);
436
437
438 strlcpy(s, nvram_safe_get("ne_shlimit"), sizeof(s));
439 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && ((n = atoi(en) & 3) != 0)) {
440 /*
441 ? what if the user uses the start button in GUI ?
442 if (nvram_get_int("telnetd_eas"))
443 if (nvram_get_int("sshd_eas"))
444 */
445 modprobe("ipt_recent");
446
447 ipt_write(
448 "-N shlimit\n"
449 "-A shlimit -m recent --set --name shlimit\n"
450 "-A shlimit -m recent --update --hitcount %s --seconds %s --name shlimit -j DROP\n",
451 hit, sec);
452
453 if (n & 1) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
454 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
455 }
456
457 #ifdef TCONFIG_FTP
458 strlcpy(s, nvram_safe_get("ftp_limit"), sizeof(s));
459 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && (atoi(en)) && (nvram_get_int("ftp_enable") == 1)) {
460 modprobe("ipt_recent");
461
462 ipt_write(
463 "-N ftplimit\n"
464 "-A ftplimit -m recent --set --name ftp\n"
465 "-A ftplimit -m recent --update --hitcount %s --seconds %s --name ftp -j DROP\n",
466 hit, sec);
467 ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j ftplimit\n", nvram_safe_get("ftp_port"));
468 }
469 #endif
470
471 ipt_write(
472 "-A INPUT -i %s -j ACCEPT\n"
473 "-A INPUT -i lo -j ACCEPT\n",
474 lanface);
475
476 // ICMP request from WAN interface
477 if (nvram_match("block_wan", "0")) {
478 ipt_write("-A INPUT -p icmp -j ACCEPT\n");
479 }
480
481
482 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
483 p = t;
484 do {
485 if ((c = strchr(p, ',')) != NULL) *c = 0;
486
487 ipt_source(p, s);
488
489 if (remotemanage) {
490 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %d -j %s\n",
491 s, nvram_safe_get("lan_ipaddr"), web_lanport, chain_in_accept);
492 }
493
494 if (nvram_get_int("sshd_remote")) {
495 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %s -j %s\n",
496 s, nvram_safe_get("lan_ipaddr"), nvram_safe_get("sshd_port"), chain_in_accept);
497 }
498
499 if (!c) break;
500 p = c + 1;
501 } while (*p);
502
503
504 #ifdef TCONFIG_FTP // !!TB - FTP Server
505 if (nvram_match("ftp_enable", "1")) { // FTP WAN access enabled
506 strlcpy(t, nvram_safe_get("ftp_sip"), sizeof(t));
507 p = t;
508 do {
509 if ((c = strchr(p, ',')) != NULL) *c = 0;
510 ipt_source(p, s);
511
512 ipt_write("-A INPUT -p tcp %s -m tcp --dport %s -j %s\n",
513 s, nvram_safe_get("ftp_port"), chain_in_accept);
514
515 if (!c) break;
516 p = c + 1;
517 } while (*p);
518 }
519 #endif
520
521 // IGMP query from WAN interface
522 if (nvram_match("multicast_pass", "1")) {
523 ipt_write("-A INPUT -p igmp -j ACCEPT\n");
524 }
525
526 // Routing protocol, RIP, accept
527 if (nvram_invmatch("dr_wan_rx", "0")) {
528 ipt_write("-A INPUT -p udp -m udp --dport 520 -j ACCEPT\n");
529 }
530
531 // if logging
532 if (*chain_in_drop == 'l') {
533 ipt_write( "-A INPUT -j %s\n", chain_in_drop);
534 }
535
536 // default policy: DROP
537 }
538
539 // clamp TCP MSS to PMTU of WAN interface
540 static void clampmss(void)
541 {
542 int rmtu = nvram_get_int("wan_run_mtu");
543
544 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS ", rmtu - 39);
545 if (rmtu < 576) {
546 ipt_write("--clamp-mss-to-pmtu\n");
547 }
548 else {
549 ipt_write("--set-mss %d\n", rmtu - 40);
550 }
551 }
552
553 static void filter_forward(void)
554 {
555 char dst[64];
556 char src[64];
557 char t[512];
558 char *p, *c;
559
560 ipt_write(
561 "-A FORWARD -i %s -o %s -j ACCEPT\n" // accept all lan to lan
562 "-A FORWARD -m state --state INVALID -j DROP\n", // drop if INVALID state
563 lanface, lanface);
564
565 // clamp tcp mss to pmtu
566 clampmss();
567
568 if (wanup) {
569 ipt_restrictions();
570 ipt_layer7_inbound();
571 }
572
573 ipt_write(
574 ":wanin - [0:0]\n"
575 ":wanout - [0:0]\n"
576 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n" // already established or related (via helper)
577 "-A FORWARD -i %s -j wanin\n" // generic from wan
578 "-A FORWARD -o %s -j wanout\n" // generic to wan
579 "-A FORWARD -i %s -j %s\n", // from lan
580 wanface, wanface, lanface, chain_out_accept);
581
582 if (nvram_get_int("upnp_enable") & 3) {
583 ipt_write(
584 ":upnp - [0:0]\n"
585 "-A FORWARD -i %s -j upnp\n",
586 wanface);
587 }
588
589 if (wanup) {
590 if (nvram_match("multicast_pass", "1")) {
591 ipt_write("-A wanin -p udp -m udp -d 224.0.0.0/4 -j %s\n", chain_in_accept);
592 }
593 ipt_triggered(IPT_TABLE_FILTER);
594 ipt_forward(IPT_TABLE_FILTER);
595
596 if (dmz_dst(dst)) {
597 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
598 p = t;
599 do {
600 if ((c = strchr(p, ',')) != NULL) *c = 0;
601 ipt_source(p, src);
602 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", lanface, src, dst, chain_in_accept);
603 if (!c) break;
604 p = c + 1;
605 } while (*p);
606 }
607 }
608
609
610 // default policy: DROP
611 }
612
613 static void filter_table(void)
614 {
615 int n;
616 char limit[128];
617
618 ipt_write(
619 "*filter\n"
620 ":INPUT DROP [0:0]\n"
621 ":OUTPUT ACCEPT [0:0]\n"
622 );
623
624 n = nvram_get_int("log_limit");
625 if ((n >= 1) && (n <= 9999)) {
626 sprintf(limit, "-m limit --limit %d/m", n);
627 }
628 else {
629 limit[0] = 0;
630 }
631
632 if ((*chain_in_drop == 'l') || (*chain_out_drop == 'l')) {
633 ipt_write(
634 ":logdrop - [0:0]\n"
635 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \" --log-tcp-options --log-ip-options\n"
636 "-A logdrop -j DROP\n"
637 ":logreject - [0:0]\n"
638 "-A logreject %s -j LOG --log-prefix \"REJECT \" --log-tcp-options --log-ip-options\n"
639 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
640 limit, limit);
641 }
642 if ((*chain_in_accept == 'l') || (*chain_out_accept == 'l')) {
643 ipt_write(
644 ":logaccept - [0:0]\n"
645 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \" --log-tcp-options --log-ip-options\n"
646 "-A logaccept -j ACCEPT\n",
647 limit);
648 }
649
650 filter_input();
651
652 if ((gateway_mode) || (nvram_match("wk_mode_x", "1"))) {
653 ipt_write(":FORWARD DROP [0:0]\n");
654 filter_forward();
655 }
656 else {
657 ipt_write(":FORWARD ACCEPT [0:0]\n");
658 clampmss();
659 }
660 ipt_write("COMMIT\n");
661 }
662
663
664 // -----------------------------------------------------------------------------
665
666 int start_firewall(void)
667 {
668 DIR *dir;
669 struct dirent *dirent;
670 char s[256];
671 char *c;
672 int n;
673 int wanproto;
674
675 simple_lock("firewall");
676 simple_lock("restrictions");
677
678 wanproto = get_wan_proto();
679 wanup = check_wanup();
680
681
682 /*
683 block obviously spoofed IP addresses
684
685 rp_filter - BOOLEAN
686 1 - do source validation by reversed path, as specified in RFC1812
687 Recommended option for single homed hosts and stub network
688 routers. Could cause troubles for complicated (not loop free)
689 networks running a slow unreliable protocol (sort of RIP),
690 or using static routes.
691 0 - No source validation.
692 */
693 if ((dir = opendir("/proc/sys/net/ipv4/conf")) != NULL) {
694 while ((dirent = readdir(dir)) != NULL) {
695 sprintf(s, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent->d_name);
696 f_write_string(s, "1", 0, 0);
697 }
698 closedir(dir);
699 }
700
701 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
702
703 n = nvram_get_int("log_in");
704 chain_in_drop = (n & 1) ? "logdrop" : "DROP";
705 chain_in_accept = (n & 2) ? "logaccept" : "ACCEPT";
706
707 n = nvram_get_int("log_out");
708 chain_out_drop = (n & 1) ? "logdrop" : "DROP";
709 chain_out_reject = (n & 1) ? "logreject" : "REJECT --reject-with tcp-reset";
710 chain_out_accept = (n & 2) ? "logaccept" : "ACCEPT";
711
712 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
713
714 strlcpy(lanface, nvram_safe_get("lan_ifname"), IFNAMSIZ);
715
716 if ((wanproto == WP_PPTP) || (wanproto == WP_L2TP) || (wanproto == WP_PPPOE)) {
717 strcpy(wanface, "ppp+");
718 }
719 else {
720 strlcpy(wanface, nvram_safe_get("wan_ifname"), sizeof(wanface));
721 }
722
723 strlcpy(wanaddr, get_wanip(), sizeof(wanaddr));
724
725 strlcpy(s, nvram_safe_get("lan_ipaddr"), sizeof(s));
726 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
727 strlcpy(lan_cclass, s, sizeof(lan_cclass));
728
729 gateway_mode = !nvram_match("wk_mode", "router");
730 if (gateway_mode) {
731 /* Remote management */
732 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
733 nvram_invmatch("http_wanport", "0")) remotemanage = 1;
734 else remotemanage = 0;
735
736 if (nvram_match("remote_mgt_https", "1")) {
737 web_lanport = nvram_get_int("https_lanport");
738 if (web_lanport <= 0) web_lanport = 443;
739 }
740 else {
741 web_lanport = nvram_get_int("http_lanport");
742 if (web_lanport <= 0) web_lanport = 80;
743 }
744 }
745
746
747 if ((ipt_file = fopen(ipt_fname, "w")) == NULL) {
748 syslog(LOG_CRIT, "Unable to create iptables restore file");
749 simple_unlock("firewall");
750 return 0;
751 }
752
753 mangle_table();
754 nat_table();
755 filter_table();
756
757 fclose(ipt_file);
758 ipt_file = NULL;
759
760 #ifdef DEBUG_IPTFILE
761 if (debug_only) {
762 simple_unlock("firewall");
763 simple_unlock("restrictions");
764 return 0;
765 }
766 #endif
767
768 if (nvram_get_int("upnp_enable") & 3) {
769 f_write("/etc/upnp/save", NULL, 0, 0, 0);
770 if (killall("miniupnpd", SIGUSR2) == 0) {
771 f_wait_notexists("/etc/upnp/save", 5);
772 }
773 }
774
775 if (eval("iptables-restore", (char *)ipt_fname) == 0) {
776 led(LED_DIAG, 0);
777 }
778 else {
779 sprintf(s, "%s.error", ipt_fname);
780 rename(ipt_fname, s);
781 syslog(LOG_CRIT, "Error while loading rules. See %s file.", s);
782 led(LED_DIAG, 1);
783
784 /*
785
786 -P INPUT DROP
787 -F INPUT
788 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
789 -A INPUT -i br0 -j ACCEPT
790
791 -P FORWARD DROP
792 -F FORWARD
793 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
794 -A FORWARD -i br0 -j ACCEPT
795
796 */
797 }
798
799 if (nvram_get_int("upnp_enable") & 3) {
800 f_write("/etc/upnp/load", NULL, 0, 0, 0);
801 killall("miniupnpd", SIGUSR2);
802 }
803
804 simple_unlock("restrictions");
805 sched_restrictions();
806 enable_ip_forward();
807
808 led(LED_DMZ, dmz_dst(NULL));
809
810 modprobe_r("ipt_layer7");
811 modprobe_r("ipt_ipp2p");
812 modprobe_r("ipt_web");
813 modprobe_r("ipt_TTL");
814
815 run_nvscript("script_fire", NULL, 1);
816
817 simple_unlock("firewall");
818 return 0;
819 }
820
821 int stop_firewall(void)
822 {
823 led(LED_DMZ, 0);
824 return 0;
825 }
826
827 #ifdef DEBUG_IPTFILE
828 void create_test_iptfile(void)
829 {
830 debug_only = 1;
831 start_firewall();
832 debug_only = 0;
833 }
834 #endif
835
Tomato firmware and modifications.