search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Tomato 1.25
[tomato.git] / release / src / router / rc / firewall.c
blobccad773285ac245bcfe7dd96d75075f912a04b38
1 /*
2
3 Copyright 2003-2005, CyberTAN Inc. All Rights Reserved
4
5 This is UNPUBLISHED PROPRIETARY SOURCE CODE of CyberTAN Inc.
6 the contents of this file may not be disclosed to third parties,
7 copied or duplicated in any form without the prior written
8 permission of CyberTAN Inc.
9
10 This software should be used as a reference only, and it not
11 intended for production use!
12
13 THIS SOFTWARE IS OFFERED "AS IS", AND CYBERTAN GRANTS NO WARRANTIES OF ANY
14 KIND, EXPRESS OR IMPLIED, BY STATUTE, COMMUNICATION OR OTHERWISE. CYBERTAN
15 SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS
16 FOR A SPECIFIC PURPOSE OR NONINFRINGEMENT CONCERNING THIS SOFTWARE
17
18 */
19 /*
20
21 Modified for Tomato Firmware
22 Portions, Copyright (C) 2006-2009 Jonathan Zarate
23
24 */
25
26 #include "rc.h"
27
28 #include <stdarg.h>
29 #include <arpa/inet.h>
30 #include <dirent.h>
31
32 char wanface[IFNAMSIZ];
33 char lanface[IFNAMSIZ];
34 char lan_cclass[sizeof("xxx.xxx.xxx.")];
35 char wanaddr[sizeof("xxx.xxx.xxx.xxx")];
36 static int web_lanport;
37
38 #ifdef DEBUG_IPTFILE
39 static int debug_only = 0;
40 #endif
41
42 static int gateway_mode;
43 static int remotemanage;
44 static int wanup;
45
46 const char *chain_in_drop;
47 const char *chain_in_accept;
48 const char *chain_out_drop;
49 const char *chain_out_accept;
50 const char *chain_out_reject;
51
52 const char ipt_fname[] = "/etc/iptables";
53 FILE *ipt_file;
54
55
56 /*
57 struct {
58 } firewall_data;
59 */
60
61 // -----------------------------------------------------------------------------
62
63
64 void enable_ip_forward(void)
65 {
66 /*
67 ip_forward - BOOLEAN
68 0 - disabled (default)
69 not 0 - enabled
70
71 Forward Packets between interfaces.
72
73 This variable is special, its change resets all configuration
74 parameters to their default state (RFC1122 for hosts, RFC1812
75 for routers)
76 */
77 f_write_string("/proc/sys/net/ipv4/ip_forward", "1", 0, 0);
78 }
79
80
81 // -----------------------------------------------------------------------------
82
83 /*
84 static int ip2cclass(char *ipaddr, char *new, int count)
85 {
86 int ip[4];
87
88 if (sscanf(ipaddr,"%d.%d.%d.%d",&ip[0],&ip[1],&ip[2],&ip[3]) != 4) return 0;
89 return snprintf(new, count, "%d.%d.%d.",ip[0],ip[1],ip[2]);
90 }
91 */
92
93
94 static int dmz_dst(char *s)
95 {
96 struct in_addr ia;
97 char *p;
98 int n;
99
100 if (nvram_get_int("dmz_enable") <= 0) return 0;
101
102 p = nvram_safe_get("dmz_ipaddr");
103 if ((ia.s_addr = inet_addr(p)) == (in_addr_t)-1) {
104 if (((n = atoi(p)) <= 0) || (n >= 255)) return 0;
105 if (s) sprintf(s, "%s%d", lan_cclass, n);
106 return 1;
107 }
108
109 if (s) strcpy(s, inet_ntoa(ia));
110 return 1;
111 }
112
113 static void ipt_source(const char *s, char *src)
114 {
115 if ((*s) && (strlen(s) < 32)) sprintf(src, "-%s %s", strchr(s, '-') ? "m iprange --src-range" : "s", s);
116 else *src = 0;
117 }
118
119 /*
120 static void get_src(const char *nv, char *src)
121 {
122 char *p;
123
124 if (((p = nvram_get(nv)) != NULL) && (*p) && (strlen(p) < 32)) {
125 sprintf(src, "-%s %s", strchr(p, '-') ? "m iprange --src-range" : "s", p);
126 }
127 else {
128 *src = 0;
129 }
130 }
131 */
132
133 void ipt_write(const char *format, ...)
134 {
135 va_list args;
136
137 va_start(args, format);
138 vfprintf(ipt_file, format, args);
139 va_end(args);
140 }
141
142 // -----------------------------------------------------------------------------
143
144
145 int ipt_ipp2p(const char *v, char *opt)
146 {
147 int n = atoi(v);
148
149 if (n == 0) {
150 *opt = 0;
151 return 0;
152 }
153
154 strcpy(opt, "-m ipp2p ");
155 if ((n & 0xFFF) == 0xFFF) {
156 strcat(opt, "--ipp2p");
157 }
158 else {
159 // x12
160 if (n & 0x0001) strcat(opt, "--apple ");
161 if (n & 0x0002) strcat(opt, "--ares ");
162 if (n & 0x0004) strcat(opt, "--bit ");
163 if (n & 0x0008) strcat(opt, "--dc ");
164 if (n & 0x0010) strcat(opt, "--edk ");
165 if (n & 0x0020) strcat(opt, "--gnu ");
166 if (n & 0x0040) strcat(opt, "--kazaa ");
167 if (n & 0x0080) strcat(opt, "--mute ");
168 if (n & 0x0100) strcat(opt, "--soul ");
169 if (n & 0x0200) strcat(opt, "--waste ");
170 if (n & 0x0400) strcat(opt, "--winmx ");
171 if (n & 0x0800) strcat(opt, "--xdcc ");
172 }
173
174 modprobe("ipt_ipp2p");
175 return 1;
176 }
177
178
179 // -----------------------------------------------------------------------------
180
181
182 char **layer7_in;
183
184 // This L7 matches inbound traffic, caches the results, then the L7 outbound
185 // should read the cached result and set the appropriate marks -- zzz
186 void ipt_layer7_inbound(void)
187 {
188 int en;
189 char **p;
190
191 if (!layer7_in) return;
192
193 en = nvram_match("nf_l7in", "1");
194 if (en) {
195 ipt_write(
196 ":L7in - [0:0]\n"
197 "-A FORWARD -i %s -j L7in\n",
198 wanface);
199 }
200
201 p = layer7_in;
202 while (*p) {
203 if (en) ipt_write("-A L7in %s -j RETURN\n", *p);
204 free(*p);
205 ++p;
206 }
207 free(layer7_in);
208 layer7_in = NULL;
209 }
210
211 int ipt_layer7(const char *v, char *opt)
212 {
213 char s[128];
214 char *path;
215
216 *opt = 0;
217 if (*v == 0) return 0;
218 if (strlen(v) > 32) return -1;
219
220 path = "/etc/l7-extra";
221 sprintf(s, "%s/%s.pat", path, v);
222 if (!f_exists(s)) {
223 path = "/etc/l7-protocols";
224 sprintf(s, "%s/%s.pat", path, v);
225 if (!f_exists(s)) {
226 syslog(LOG_ERR, "L7 %s was not found", v);
227 return -1;
228 }
229 }
230
231 sprintf(opt, "-m layer7 --l7dir %s --l7proto %s", path, v);
232
233 if (nvram_match("nf_l7in", "1")) {
234 if (!layer7_in) layer7_in = calloc(51, sizeof(char *));
235 if (layer7_in) {
236 char **p;
237
238 p = layer7_in;
239 while (*p) {
240 if (strcmp(*p, opt) == 0) return 1;
241 ++p;
242 }
243 if (((p - layer7_in) / sizeof(char *)) < 50) *p = strdup(opt);
244 }
245 }
246
247 modprobe("ipt_layer7");
248 return 1;
249 }
250
251
252
253 // -----------------------------------------------------------------------------
254 // MANGLE
255 // -----------------------------------------------------------------------------
256
257 static void mangle_table(void)
258 {
259 int ttl;
260 char *p;
261
262 ipt_write(
263 "*mangle\n"
264 ":PREROUTING ACCEPT [0:0]\n"
265 ":OUTPUT ACCEPT [0:0]\n");
266
267 if (wanup) {
268 ipt_qos();
269
270 ttl = nvram_get_int("nf_ttl");
271 if (ttl != 0) {
272 modprobe("ipt_TTL");
273 if (ttl > 0) {
274 p = "in";
275 }
276 else {
277 ttl = -ttl;
278 p = "de";
279 }
280 ipt_write(
281 "-I PREROUTING -i %s -j TTL --ttl-%sc %d\n"
282 "-I POSTROUTING -o %s -j TTL --ttl-%sc %d\n",
283 wanface, p, ttl,
284 wanface, p, ttl);
285 }
286 }
287
288 ipt_write("COMMIT\n");
289 }
290
291
292
293 // -----------------------------------------------------------------------------
294 // NAT
295 // -----------------------------------------------------------------------------
296
297 static void nat_table(void)
298 {
299 char lanaddr[32];
300 char lanmask[32];
301 char dst[64];
302 char src[64];
303 char t[512];
304 char *p, *c;
305
306 ipt_write("*nat\n"
307 ":PREROUTING ACCEPT [0:0]\n"
308 ":POSTROUTING ACCEPT [0:0]\n"
309 ":OUTPUT ACCEPT [0:0]\n");
310 if (gateway_mode) {
311 strlcpy(lanaddr, nvram_safe_get("lan_ipaddr"), sizeof(lanaddr));
312 strlcpy(lanmask, nvram_safe_get("lan_netmask"), sizeof(lanmask));
313
314 // Drop incoming packets which destination IP address is to our LAN side directly
315 ipt_write("-A PREROUTING -i %s -d %s/%s -j DROP\n",
316 wanface,
317 lanaddr, lanmask); // note: ipt will correct lanaddr
318
319 if (wanup) {
320 if (nvram_match("dns_intcpt", "1")) {
321 ipt_write("-A PREROUTING -p udp -s %s/%s ! -d %s/%s --dport 53 -j DNAT --to-destination %s\n",
322 lanaddr, lanmask,
323 lanaddr, lanmask,
324 lanaddr);
325 }
326
327 // ICMP packets are always redirected to INPUT chains
328 ipt_write("-A PREROUTING -p icmp -d %s -j DNAT --to-destination %s\n", wanaddr, lanaddr);
329
330
331 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
332 p = t;
333 do {
334 if ((c = strchr(p, ',')) != NULL) *c = 0;
335 ipt_source(p, src);
336
337 if (remotemanage) {
338 ipt_write("-A PREROUTING -p tcp -m tcp %s -d %s --dport %s -j DNAT --to-destination %s:%d\n",
339 src,
340 wanaddr, nvram_safe_get("http_wanport"),
341 lanaddr, web_lanport);
342 }
343 if (nvram_get_int("sshd_remote")) {
344 ipt_write("-A PREROUTING %s -p tcp -m tcp -d %s --dport %s -j DNAT --to-destination %s:%s\n",
345 src,
346 wanaddr, nvram_safe_get("sshd_rport"),
347 lanaddr, nvram_safe_get("sshd_port"));
348 }
349
350 if (!c) break;
351 p = c + 1;
352 } while (*p);
353
354 ipt_forward(IPT_TABLE_NAT);
355 ipt_triggered(IPT_TABLE_NAT);
356 }
357
358 #ifdef USE_MINIUPNPD
359 if (nvram_get_int("upnp_enable") & 3) {
360 ipt_write(":upnp - [0:0]\n");
361 if (wanup) {
362 // ! for loopback (all) to work
363 ipt_write("-A PREROUTING -d %s -j upnp\n", wanaddr);
364 }
365 else {
366 ipt_write("-A PREROUTING -i %s -j upnp\n", wanface);
367 }
368 }
369 #else
370 if (nvram_get_int("upnp_enable")) {
371 ipt_write(
372 ":upnp - [0:0]\n"
373 "-A PREROUTING -i %s -j upnp\n",
374 wanface);
375 }
376 #endif
377
378 if (wanup) {
379 if (dmz_dst(dst)) {
380 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
381 p = t;
382 do {
383 if ((c = strchr(p, ',')) != NULL) *c = 0;
384 ipt_source(p, src);
385 ipt_write("-A PREROUTING %s -d %s -j DNAT --to-destination %s\n", src, wanaddr, dst);
386 if (!c) break;
387 p = c + 1;
388 } while (*p);
389 }
390 }
391
392
393
394 ////
395
396 ipt_write("-A POSTROUTING -o %s -j MASQUERADE\n", wanface);
397
398 switch (nvram_get_int("nf_loopback")) {
399 case 1: // 1 = forwarded-only
400 case 2: // 2 = disable
401 break;
402 default: // 0 = all (same as block_loopback=0)
403 ipt_write("-A POSTROUTING -o %s -s %s/%s -d %s/%s -j MASQUERADE\n",
404 lanface,
405 lanaddr, lanmask,
406 lanaddr, lanmask);
407 break;
408 }
409 }
410 ipt_write("COMMIT\n");
411 }
412
413 // -----------------------------------------------------------------------------
414 // FILTER
415 // -----------------------------------------------------------------------------
416
417 static void filter_input(void)
418 {
419 char s[64];
420 char t[512];
421 char *en;
422 char *sec;
423 char *hit;
424 int n;
425 char *p, *c;
426
427 if ((nvram_get_int("nf_loopback") != 0) && (wanup)) { // 0 = all
428 ipt_write("-A INPUT -i %s -d %s -j DROP\n", lanface, wanaddr);
429 }
430
431 ipt_write(
432 "-A INPUT -m state --state INVALID -j %s\n"
433 "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\n",
434 chain_in_drop);
435
436
437 strlcpy(s, nvram_safe_get("ne_shlimit"), sizeof(s));
438 if ((vstrsep(s, ",", &en, &hit, &sec) == 3) && ((n = atoi(en) & 3) != 0)) {
439 /*
440 ? what if the user uses the start button in GUI ?
441 if (nvram_get_int("telnetd_eas"))
442 if (nvram_get_int("sshd_eas"))
443 */
444 modprobe("ipt_recent");
445
446 ipt_write(
447 "-N shlimit\n"
448 "-A shlimit -m recent --set --name shlimit\n"
449 "-A shlimit -m recent --update --hitcount %s --seconds %s --name shlimit -j DROP\n",
450 hit, sec);
451
452 if (n & 1) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("sshd_port"));
453 if (n & 2) ipt_write("-A INPUT -p tcp --dport %s -m state --state NEW -j shlimit\n", nvram_safe_get("telnetd_port"));
454 }
455
456 ipt_write(
457 "-A INPUT -i %s -j ACCEPT\n"
458 "-A INPUT -i lo -j ACCEPT\n",
459 lanface);
460
461 // ICMP request from WAN interface
462 if (nvram_match("block_wan", "0")) {
463 ipt_write("-A INPUT -p icmp -j ACCEPT\n");
464 }
465
466
467 strlcpy(t, nvram_safe_get("rmgt_sip"), sizeof(t));
468 p = t;
469 do {
470 if ((c = strchr(p, ',')) != NULL) *c = 0;
471
472 ipt_source(p, s);
473
474 if (remotemanage) {
475 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %d -j %s\n",
476 s, nvram_safe_get("lan_ipaddr"), web_lanport, chain_in_accept);
477 }
478
479 if (nvram_get_int("sshd_remote")) {
480 ipt_write("-A INPUT -p tcp %s -m tcp -d %s --dport %s -j %s\n",
481 s, nvram_safe_get("lan_ipaddr"), nvram_safe_get("sshd_port"), chain_in_accept);
482 }
483
484 if (!c) break;
485 p = c + 1;
486 } while (*p);
487
488
489 // IGMP query from WAN interface
490 if (nvram_match("multicast_pass", "1")) {
491 ipt_write("-A INPUT -p igmp -j ACCEPT\n");
492 }
493
494 // Routing protocol, RIP, accept
495 if (nvram_invmatch("dr_wan_rx", "0")) {
496 ipt_write("-A INPUT -p udp -m udp --dport 520 -j ACCEPT\n");
497 }
498
499 // if logging
500 if (*chain_in_drop == 'l') {
501 ipt_write( "-A INPUT -j %s\n", chain_in_drop);
502 }
503
504 // default policy: DROP
505 }
506
507 // clamp TCP MSS to PMTU of WAN interface
508 static void clampmss(void)
509 {
510 int rmtu = nvram_get_int("wan_run_mtu");
511
512 ipt_write("-A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss %d: -j TCPMSS ", rmtu - 39);
513 if (rmtu < 576) {
514 ipt_write("--clamp-mss-to-pmtu\n");
515 }
516 else {
517 ipt_write("--set-mss %d\n", rmtu - 40);
518 }
519 }
520
521 static void filter_forward(void)
522 {
523 char dst[64];
524 char src[64];
525 char t[512];
526 char *p, *c;
527
528 ipt_write(
529 "-A FORWARD -i %s -o %s -j ACCEPT\n" // accept all lan to lan
530 "-A FORWARD -m state --state INVALID -j DROP\n", // drop if INVALID state
531 lanface, lanface);
532
533 // clamp tcp mss to pmtu
534 clampmss();
535
536 if (wanup) {
537 ipt_restrictions();
538 ipt_layer7_inbound();
539 }
540
541 ipt_write(
542 ":wanin - [0:0]\n"
543 ":wanout - [0:0]\n"
544 "-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT\n" // already established or related (via helper)
545 "-A FORWARD -i %s -j wanin\n" // generic from wan
546 "-A FORWARD -o %s -j wanout\n" // generic to wan
547 "-A FORWARD -i %s -j %s\n", // from lan
548 wanface, wanface, lanface, chain_out_accept);
549
550 #ifdef USE_MINIUPNPD
551 if (nvram_get_int("upnp_enable") & 3) {
552 ipt_write(
553 ":upnp - [0:0]\n"
554 "-A FORWARD -i %s -j upnp\n",
555 wanface);
556 }
557 #else
558 if (nvram_get_int("upnp_enable")) {
559 ipt_write(
560 ":upnp - [0:0]\n"
561 "-A FORWARD -i %s -j upnp\n",
562 wanface);
563 }
564 #endif
565
566 if (wanup) {
567 if (nvram_match("multicast_pass", "1")) {
568 ipt_write("-A wanin -p udp -m udp -d 224.0.0.0/4 -j %s\n", chain_in_accept);
569 }
570 ipt_triggered(IPT_TABLE_FILTER);
571 ipt_forward(IPT_TABLE_FILTER);
572
573 if (dmz_dst(dst)) {
574 strlcpy(t, nvram_safe_get("dmz_sip"), sizeof(t));
575 p = t;
576 do {
577 if ((c = strchr(p, ',')) != NULL) *c = 0;
578 ipt_source(p, src);
579 ipt_write("-A FORWARD -o %s %s -d %s -j %s\n", lanface, src, dst, chain_in_accept);
580 if (!c) break;
581 p = c + 1;
582 } while (*p);
583 }
584 }
585
586
587 // default policy: DROP
588 }
589
590 static void filter_table(void)
591 {
592 int n;
593 char limit[128];
594
595 ipt_write(
596 "*filter\n"
597 ":INPUT DROP [0:0]\n"
598 ":OUTPUT ACCEPT [0:0]\n"
599 );
600
601 n = nvram_get_int("log_limit");
602 if ((n >= 1) && (n <= 9999)) {
603 sprintf(limit, "-m limit --limit %d/m", n);
604 }
605 else {
606 limit[0] = 0;
607 }
608
609 if ((*chain_in_drop == 'l') || (*chain_out_drop == 'l')) {
610 ipt_write(
611 ":logdrop - [0:0]\n"
612 "-A logdrop -m state --state NEW %s -j LOG --log-prefix \"DROP \" --log-tcp-options --log-ip-options\n"
613 "-A logdrop -j DROP\n"
614 ":logreject - [0:0]\n"
615 "-A logreject %s -j LOG --log-prefix \"REJECT \" --log-tcp-options --log-ip-options\n"
616 "-A logreject -p tcp -j REJECT --reject-with tcp-reset\n",
617 limit, limit);
618 }
619 if ((*chain_in_accept == 'l') || (*chain_out_accept == 'l')) {
620 ipt_write(
621 ":logaccept - [0:0]\n"
622 "-A logaccept -m state --state NEW %s -j LOG --log-prefix \"ACCEPT \" --log-tcp-options --log-ip-options\n"
623 "-A logaccept -j ACCEPT\n",
624 limit);
625 }
626
627 filter_input();
628
629 if ((gateway_mode) || (nvram_match("wk_mode_x", "1"))) {
630 ipt_write(":FORWARD DROP [0:0]\n");
631 filter_forward();
632 }
633 else {
634 ipt_write(":FORWARD ACCEPT [0:0]\n");
635 clampmss();
636 }
637 ipt_write("COMMIT\n");
638 }
639
640
641 // -----------------------------------------------------------------------------
642
643 int start_firewall(void)
644 {
645 DIR *dir;
646 struct dirent *dirent;
647 char s[256];
648 char *c;
649 int n;
650 int wanproto;
651
652 simple_lock("firewall");
653 simple_lock("restrictions");
654
655 wanproto = get_wan_proto();
656 wanup = check_wanup();
657
658
659 /*
660 block obviously spoofed IP addresses
661
662 rp_filter - BOOLEAN
663 1 - do source validation by reversed path, as specified in RFC1812
664 Recommended option for single homed hosts and stub network
665 routers. Could cause troubles for complicated (not loop free)
666 networks running a slow unreliable protocol (sort of RIP),
667 or using static routes.
668 0 - No source validation.
669 */
670 if ((dir = opendir("/proc/sys/net/ipv4/conf")) != NULL) {
671 while ((dirent = readdir(dir)) != NULL) {
672 sprintf(s, "/proc/sys/net/ipv4/conf/%s/rp_filter", dirent->d_name);
673 f_write_string(s, "1", 0, 0);
674 }
675 closedir(dir);
676 }
677
678 f_write_string("/proc/sys/net/ipv4/tcp_syncookies", nvram_get_int("ne_syncookies") ? "1" : "0", 0, 0);
679
680 n = nvram_get_int("log_in");
681 chain_in_drop = (n & 1) ? "logdrop" : "DROP";
682 chain_in_accept = (n & 2) ? "logaccept" : "ACCEPT";
683
684 n = nvram_get_int("log_out");
685 chain_out_drop = (n & 1) ? "logdrop" : "DROP";
686 chain_out_reject = (n & 1) ? "logreject" : "REJECT --reject-with tcp-reset";
687 chain_out_accept = (n & 2) ? "logaccept" : "ACCEPT";
688
689 // if (nvram_match("nf_drop_reset", "1")) chain_out_drop = chain_out_reject;
690
691 strlcpy(lanface, nvram_safe_get("lan_ifname"), IFNAMSIZ);
692
693 if ((wanproto == WP_PPTP) || (wanproto == WP_L2TP) || (wanproto == WP_PPPOE)) {
694 strcpy(wanface, "ppp+");
695 }
696 else {
697 strlcpy(wanface, nvram_safe_get("wan_ifname"), sizeof(wanface));
698 }
699
700 strlcpy(wanaddr, get_wanip(), sizeof(wanaddr));
701
702 strlcpy(s, nvram_safe_get("lan_ipaddr"), sizeof(s));
703 if ((c = strrchr(s, '.')) != NULL) *(c + 1) = 0;
704 strlcpy(lan_cclass, s, sizeof(lan_cclass));
705
706 gateway_mode = !nvram_match("wk_mode", "router");
707 if (gateway_mode) {
708 /* Remote management */
709 if (nvram_match("remote_management", "1") && nvram_invmatch("http_wanport", "") &&
710 nvram_invmatch("http_wanport", "0")) remotemanage = 1;
711 else remotemanage = 0;
712
713 if (nvram_match("remote_mgt_https", "1")) {
714 web_lanport = nvram_get_int("https_lanport");
715 if (web_lanport <= 0) web_lanport = 443;
716 }
717 else {
718 web_lanport = nvram_get_int("http_lanport");
719 if (web_lanport <= 0) web_lanport = 80;
720 }
721 }
722
723
724 if ((ipt_file = fopen(ipt_fname, "w")) == NULL) {
725 syslog(LOG_CRIT, "Unable to create iptables restore file");
726 simple_unlock("firewall");
727 return 0;
728 }
729
730 mangle_table();
731 nat_table();
732 filter_table();
733
734 fclose(ipt_file);
735 ipt_file = NULL;
736
737 #ifdef DEBUG_IPTFILE
738 if (debug_only) {
739 simple_unlock("firewall");
740 simple_unlock("restrictions");
741 return 0;
742 }
743 #endif
744
745 #ifdef USE_MINIUPNPD
746 if (nvram_get_int("upnp_enable") & 3) {
747 f_write("/etc/upnp/save", NULL, 0, 0, 0);
748 if (killall("miniupnpd", SIGUSR2) == 0) {
749 f_wait_notexists("/etc/upnp/save", 5);
750 }
751 }
752 #endif
753
754 if (eval("iptables-restore", (char *)ipt_fname) == 0) {
755 led(LED_DIAG, 0);
756 }
757 else {
758 sprintf(s, "%s.error", ipt_fname);
759 rename(ipt_fname, s);
760 syslog(LOG_CRIT, "Error while loading rules. See %s file.", s);
761 led(LED_DIAG, 1);
762
763 /*
764
765 -P INPUT DROP
766 -F INPUT
767 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
768 -A INPUT -i br0 -j ACCEPT
769
770 -P FORWARD DROP
771 -F FORWARD
772 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
773 -A FORWARD -i br0 -j ACCEPT
774
775 */
776 }
777
778 #ifdef USE_MINIUPNPD
779 if (nvram_get_int("upnp_enable") & 3) {
780 f_write("/etc/upnp/load", NULL, 0, 0, 0);
781 killall("miniupnpd", SIGUSR2);
782 }
783 #else
784 if (nvram_get_int("upnp_enable")) {
785 killall("upnp", SIGHUP);
786 }
787 #endif
788
789 simple_unlock("restrictions");
790 sched_restrictions();
791 enable_ip_forward();
792
793 led(LED_DMZ, dmz_dst(NULL));
794
795 modprobe_r("ipt_layer7");
796 modprobe_r("ipt_ipp2p");
797 modprobe_r("ipt_web");
798 modprobe_r("ipt_TTL");
799
800 run_nvscript("script_fire", NULL, 1);
801
802 simple_unlock("firewall");
803 return 0;
804 }
805
806 int stop_firewall(void)
807 {
808 led(LED_DMZ, 0);
809 return 0;
810 }
811
812 #ifdef DEBUG_IPTFILE
813 void create_test_iptfile(void)
814 {
815 debug_only = 1;
816 start_firewall();
817 debug_only = 0;
818 }
819 #endif
820
Tomato firmware and modifications.